Exchange 2003 BackofficeStorage ACLs reset
Hello:
Have a customer running Exchange 2003 (Verison 6.5.7638.1 ) on Windows 2003 SP2. During the reboot of thier server, they got the
error “Invalid Security Id” and it reset the security on the BackOfficeStorage.
Users can access Exchange via Outlook, but the web users (about 200+) can't access thier mailbox via OWA. Microsoft remoted in when this happened last time and fixed
the permisions on the \\.\BackOfficeStorage\MBX directories but didn't tell the customer what the ACLs should be. Domain Administrators can access the mailboxes via OWA and can list the directories via the
command prompt.
I dumped the permisions using xcacls for a mailbox, but unfortunatley, I don't have access to a E2K3 box to compare:
C:\Program Files\Support Tools>xcacls
\\.\backofficestorage\someschool.k12.xx.us\mbx\testacc | more
\\.\backofficestorage\someschool.k12.xx.us\mbx\testacc someschool\testacc:(OI)(CI)F
someschool\Exchange Domain Servers:(OI)(CI)F
<Account domain not found>(OI)(CI)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)F
<Account domain not found>(OI)(CI)(IO)F
Someschool\TTCEMJ-84EF8E29A342:(OI)(CI)F
SOmeschool\TTCEMJ-84EF8E29A342:(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)(IO)F
SOmeschool\Domain Admins:(OI)(CI)F
SOmeschool\Enterprise Admins:(OI)(CI)N
SOmeschool\Exchange Services:(OI)(CI)F
SOmeschool\EXCHANGE$:(OI)(CI)F
SOmeschool\ExMerge:(OI)(CI)F
SOmeschool\BlackBerryServ:(OI)(CI)F
NT AUTHORITY\ANONYMOUS LOGON:(OI)(IO)(DENY)(special access:)
STANDARD_RIGHTS_ALL
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
NT AUTHORITY\ANONYMOUS LOGON:(CI)(DENY)(special access:)
STANDARD_RIGHTS_ALL
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
C:\Program Files\Support Tools>
November 30th, 2010 5:42pm
Spent about 80 minutes on the phone with a nice MS Engineer tonight. Thought I would update the posting in case anyone else runs into the problem.
The fix -- fix a permsion on the \exchsrvr\bin\davex.dll file. The file security was only allowing Administrators and System. Added Authenticated Users with Read/Exec, Read and Write access and OWA started to work again.
Hope that might help someone!
Bill
Free Windows Admin Tool Kit Click here and download it now
November 30th, 2010 9:16pm
Hi,
Thanks for sharing.
Best regards,
Serena
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
December 2nd, 2010 4:11am