Exchange 2003 Full Admin Problems after 2010 Install
I have just installed the first server in the beginning of my 2010 deployment within my 2003 organization. So far most things seem to be fine, but my other exchange administrator all of a sudden cannot access other user's mailboxes. Among other
accounts delegated control on the organization, we have an Exchange Admins group that has the full administrator role assigned to it, and that's how we've been using it for years with no issue. Now, it seems that no matter what permissions I delegate,
nothing fixes his issue. My account, however, still has access which I don't understand.
To troubleshoot this, I created a new user account, first adding it to the domain admins group and the exchange admins group that was already delegated. That can not access other mailboxes. I then added the explicit user in the delegation
wizard to give it full exchange admin rights, but had to do it at the Administrative Group level because now that the schema has been updated for 2010 I cannot add it at the organization level. But, it added, shows the account in there, and looks fine.
However, that is not working either.
So, no matter what I do, this other admin and any new user I create seems to be unable to access other user mailboxes. Does anyone have any ideas?
Thanks!
August 30th, 2011 8:28pm
All these admins in questions have their mailboxes on 2010? Also have you migrated domain user mailboxes to exch 2010 also?
Permissions
models used by Exchange 2010 and Exchange 2003 are different, additionally server mgmt is also performed separately using tools provided by each versions.
Try
adding those administrators to “Exchange Organization Administrators” group
& see if that helps…
For
more information please go through the article below…
http://technet.microsoft.com/en-us/library/dd638173.aspx
Also, for any user to have
Full Access on other user's mailbox in exchange 2010 requires following the steps detailed in the link below
http://technet.microsoft.com/en-us/library/bb676551.aspx
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2011 2:42am
If you want to acces another users mailbox then you need fullbox access, do this via the EMC, -
http://technet.microsoft.com/en-us/library/aa996343.aspx I assume that in exch 2003 you had set permissions so that admin could access other users mailboxes. This isnt the default behaviour.
This has most probably been removed. Unless you havent got a reason to do this then I personally wouldn't.
Sukh
August 31st, 2011 10:22am
Agree with both posters below when it comes to admin permissions and reasoning. However, to answer your question - keep in mind that an Exchange 2010 install can do some serious damage to legacy Exchange permission models unless additional steps are taken
during the domainprep and schema update steps. If you still have Exchange 2003 in your environment, make sure you run the "setup /PrepareLegacyExchangePermissions" immediately after the "setup /prepareAD" command for Exchange 2010. For more info on this see
the article here:
http://technet.microsoft.com/en-us/library/aa997914.aspx
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2011 11:21am
Thanks for all your posts. The permissions were set up from my predecessor for mailbox access for admins, so I guess I'm not sure on what exactly he did. We are at a law firm and there are lots of times that lawyers want us to go in to their
mailboxes and do things for them, among other requirements, so we do have that need.
I have not moved any mailboxes to the new 2010 environment, so my feeling is that the /prepareAD is what changed this because it seemed to happen right after I installed the first server. At this point I haven't done anything more than just install
the HT, CA and MB servers (two of them), you think it's too late to run this /PrepareLegacyExchangePermissions switch? I haven't read your link yet but I intend to right now. I didn't realize I had to do that when I was going through all the reading
before I started.
Thanks for the info, though
August 31st, 2011 12:09pm
So, this technet article says that you have to run it before you run the /prepareschema which I didn't do. You think it would still work to run it afterwards at the point I'm at now? If not, where would I go from here? This looks like it
mostly affects recipient update services, so it doesn't seem to be a deal breaker, just a PITA for creating new accounts. But I hope that I can run it afterwards without issue.
I have installed this in my lab already, so I can try this out in there first too.
Thanks
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2011 12:24pm
thanks for the reply, but to clarify I am talking about exchange 2003 mailboxes. All I have done so far is stood up a 2010 HT, CA server and a MB server in my 2003 organization, and now my admin and new accounts I'm trying to create to do this can
no longer can access other 2003 mailboxes.
Thanks
August 31st, 2011 12:28pm
Actually if you forget to run preparelegacyexchange permission cmdlt then while running either PrepareAD or PrepareSchema, setup would run that anyway.......read the link
below
http://technet.microsoft.com/en-us/library/bb125224.aspx
Do you've multiple AD domains....?? If yes then make sure you've run
setup /PrepareAllDomains
Just for insanity sake, please verify that USGs are there in a OU called
Microsoft Exchange Security
OU:
Exchange Organization Management
Exchange Recipient Management
Exchange Server Management
Exchange View-Only Organization Management
Exchange Public Folder Management
Exchange UM Management
Exchange Hygiene Management
Exchange Records Management
Exchange Discovery Management
Exchange Delegated Setup
ExchangeLegacyInterop
Could you try moving(If Possible) one mailbox to exchange 2010 and try accessing that one from one of such problem Admin account please?
Regards, Pushkal MishrA
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2011 1:03am
So, I think what happened is that when I ran the schema prep for the 2010 install, it must have reset the existing admin permissions that were set to allow mailbox access. These were
set by my predecessor, so I was a little unclear on what he did. In looking back, it would appear that he had changed the domain admins group permissions and removed the explicit deny that it has in order for the admin group he created to work. We
use our separate admin accounts to do the mailbox access which are also domain admins, and with that explicit deny that wouldn't work. I think running schema prep for 2010 reset those denies back on the domain admin which is why it quit working.
So, what I did was create a separate admin account for mailbox access that only has the mailbox admin group I created to have have access and we'll use that going forward. I think that's the best practice to use anyways.
Thanks for the help, though.
September 6th, 2011 12:09pm