Exchange 2010 BPA complains about missing rights on OAB directory
Hello,
I've installed Exchange 2010 SP1 on a Windows 2008 R2 server, along with the AD DS role (I know, not advised but supported).
When running an up-to-date version of ExBPA, it complains about missing access rights on the C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB\10ce4957-0422-459b-9f68-c6c9a150fdd5' directory for several groups : 'Enterprise Admins',
'Domain Admins', 'Admins' and 'Authenticated Users'.
Though, they are correctly set :
PS C:\Users\Administrateur> Get-Acl 'C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB\10ce4957-0422-459b-9f68-c6c9a150fdd5' | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB\10ce4957-0422-459b-9f68-c6c9a150fdd5
Owner : BUILTIN\Administrateurs
Group : AUTORITE NT\Système
Access : AUTORITE NT\IUSR Deny Read
AUTORITE NT\Utilisateurs authentifiés Allow Read, Synchronize
AUTORITE NT\Système Allow Read, Synchronize
BUILTIN\Administrateurs Allow FullControl
BUILTIN\IIS_IUSRS Allow ReadAndExecute, Synchronize
LPA\Administrateur Allow Read, Synchronize
LPA\Admins du domaine Allow Read, Synchronize
LPA\Administrateurs de l'entreprise Allow Read, Synchronize
LPA\Organization Management Allow Read, Synchronize
LPA\Organization Management Allow ReadAndExecute, Synchronize
LPA\View-Only Organization Management Allow ReadAndExecute, Synchronize
LPA\View-Only Organization Management Allow Read, Synchronize
LPA\Exchange Servers Allow FullControl
LPA\Exchange Trusted Subsystem Allow Read, Synchronize
Any idea ?
Thanks in advance
ChristianChristian G.
September 27th, 2011 8:54am
FYI, I've added FullControl access to All, and the same errors pop out.Christian G.
Free Windows Admin Tool Kit Click here and download it now
September 27th, 2011 9:44am
From the Get-ACL command result, I cannot find the 'Enterprise Admins', 'Domain Admins', 'Admins' and 'Authenticated Users' groups. Please manually add it and assign full access permission for them.
Restart the system attendent service and see if the issue persists.
Thanks,
Simon
September 28th, 2011 11:12pm
Actually those are set, but the output being in French that might not be so easy to read :
Enterprise Admins = LPA\Administrateurs de l'entreprise
Domain Admins = LPA\Admins
du domaine
Authenticated Users = AUTORITE
NT\Utilisateurs authentifiés
ExBPA says that it might prevent users from downloading the OAB via HTTP. But I configured an Outlook profile with Outlook Anywhere and I got it fine. Maybe another of the numerous false alarms triggered by BPA ?
ChristianChristian G.
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2011 2:04am
Hello,
as far as I know this is a known issue because BPA searches for the English group names and can't find them, so this error is generated.
If you have ensured that the rights are correct and the OAB is downloadable you can safely ignore the error.
Greetings,
Toni
September 29th, 2011 5:31am
Ok, thanks for the answer Toni.
Christian
Christian G.
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2011 6:17am