Mailbox Access Rights - inheritance issues
We have a program which installs a user account (No. 1) and another account (No. 2) has full security control over No. 1 and is also an Administrator on Server 1 - while the permissions are fine on the security tab there is a DENY mailbox rights for all Administrators on Server 1 under the exchange advanced / mailbox rights tab in the AD settings for user No. 1. It is inherited. Have searched all over for where that account is getting inheritance from since there in no ability in the Mailbox Rights tab to modify it. It was suggested to cross post this question in the exchange server group - again this is NOT under the security tab in ADUC. This is under the MAILBOX ACCESS under the EXCHANGE ADVANCED tab in ADUC.
So: How do I determine where the inheritance is coming from on the mailbox rights tab ORHow do I use ADSIEdit or another program to remove the deny setting for user No. 1 for administrators of Server 1?Thanks in advance.
May 4th, 2009 10:55pm
By default Administrators have send-as and receive as permission denied on the server level.Lookin to the below mentioned info.Minimum permissions necessary to access mailbox data to get service account access to all mailboxes in Exchange 2000 Does Not Work Unless You Have Receive As and Send As Permissions on the Store Kumar | MCSE - 2K3 + Messaging | ITIL-F V3
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2009 12:38am
This user account is a local administrator and the account is listed as a administrators/j-f-mmas1 rather than administrators on the domain level. I added another user to the container and checked it after a full day - the inheritance right imposed on the other user account was not listed on the new user account. It appears to be inserted when the particular program is being run. Wehave checked the upper tree rights in both the ESM and AD and nothing for that group for the j-f-mmas1 islisted. Thank you for your suggestion.
May 7th, 2009 7:49am
As Arun explained, the Administrators group, Domain Admins and Enterprise Admins group have send-as and receive-as permission denied by default. The permission is inherited from Organization object.
You can check and modify the permissions by using Adsiedit.msc:
CN=Configuration,DC=domain,DC=com->Cn=Services->CN=Microsoft Exchange->CN=orgname
Under security tab of the org object, you are able to modify receive as and send as permission.
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2009 9:25am
Hello,Any update on this yet?Arun Kumar | MCSE - 2K3 + Messaging | ITIL-F V3
May 12th, 2009 11:00pm