Mail box permissions. Canot delete old user sids.
I am using Active Directory Users and Computers version 2003.I created a mail box from a dissabled user account. When i go to the Exchange Advanced tab, Click Mailbox Rights there are user sids with permissions to the box. They look like a bunch of leters and numbers. I have done everything i can think of to remove these with no sucsess. I have tryed taking ownership of the box and this does not work. I click advanced and the option to remove them is grayed out so cant delete it. Back in the mailbox rights tab i get this error message when i try to delete the sids. "You can't remove "user sid hear" because this object is inheriting permissions from its parent. To remove this object from inheriting permissions, Turn off the option for inheriting permissions, and then try removing "user did hear" again. The problem with this is there is not option to do this. Also i canot find where it is inheriting the permissions from any whays.Also when i make a new mailbox it to receives a bunch of user sids "Inherited from some where".Any one know what im talking about.... thanx for reading this.
May 14th, 2009 3:39pm
Hello,When we talk about inheritance... Yes the child object in AD inherites the permission from parent object. So, permission at the parent leven and up and up and up... until the domain level.Like,Domain -> Server - > DC - > OU -> User.Now here, User inherits permission from OU, and OU inherits permission from DC and so on soforth till Domain level. So i have to check at which level i do have that GUID Mentioned in the permission, Basically that aint a GUID, there were some user exist in your organization which had permission, however that user is no longer exist and someone the GUID is still listing there.So now you have to check all the leve till you reach to the parent and remove that GUID.Use the below information to convert that SID and findout which user was that ;)Convert SID to Usernamehttp://www.thescriptlibrary.com/default.asp?Action=Display&Level=Category3&ScriptLanguage=VBScript&Category1=Security&Category2=Other&Title=Convert%20SID%20to%20Username
How to convert the SDDL form of an SID to a SAM account namehttp://support.microsoft.com/kb/276208Arun Kumar | MCSE - 2K3 + Messaging | ITIL-F V3
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2009 2:06am
Any update on this yet>?Arun Kumar | MCSE - 2K3 + Messaging | ITIL-F V3
May 18th, 2009 12:13pm
I was talking with a co worker and he beleives it wont work. The sids that im talking about come from active directory and because of that he beleives the scrip will not beable to pull a name for the sids. He says that the reson they apear that way is beacuse there is nothing for active directory to pull the names from.
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2009 3:48pm
Arun's reply is the solution!inheritedpermission is applied somewhere in the configuration container under the Exchange Service branch, you need to drop through the containers until you find the one where the ACE is applied and remove it. You can do that with adsiedit.you can use this toolto find user name from sid.http://www.joeware.net/freetools/tools/sidtoname/index.htmfind the user name from sid. than delete it from AD with edsiedit.MCSE,CCNA,VCP,APP
May 18th, 2009 4:24pm
Hello,You need to drill down from bottom till top unless you found the permission!Arun Kumar | MCSE - 2K3 + Messaging | ITIL-F V3
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2009 7:07pm
any update ?MCSE,CCNA,VCP,APP
May 20th, 2009 12:00pm
I have looked and whent through the permissions and itsays its inhariting from the parent object.I cannot delete them even ifI become the owner of the account.
Free Windows Admin Tool Kit Click here and download it now
May 27th, 2009 9:03pm
Hello,
This inherited permission coming from the exchange 2003 organization.
you should go to your exch org right click and check the delegation permission and find this SID as it may be user who is deleted from AD while he has his data on the exchange org.
if u still can't find this user you should open adsiedit.msc open the configuration of your forest.
browse till you reach your organization and start checking the security on each tab. sure you will find the origin of this user :)
Ahmed Badawy
Orange Business Services.
Messagaing Specialist Engineer
July 8th, 2009 8:02pm