Mailbox Permission Inheritance Exchange 2007
We recently added more Storage Groups and Databases to our Exchange 2007 environment. Since doing so when creating a new mailbox the only default permission in the "Full Access Permission" is Self. (This applies to ALL databases not just the newly created databases.)Before we added new Storage Groups and Databases, when a new mailbox was created it automatically inherited Self, Exchange Organizational Admin, and BES Admin in the "Full Access Permission".How can I fix it so when a new mailbox is created it automically inherits the permissions as it did before we added the new Storage Groups and Databases?Thanks...
March 19th, 2009 5:57pm
Hi,
Firstly, please let me know whether you have attempted to logon the new mailbox after new creating it. I would like to explain that the inherited permission is applied to new mailbox after it was created. When you logon the mailbox or send the first message to the mailbox, the mailbox is actually created.
If the issue still persists, would you please run following command to on the database file and post the result here:
Get-Adpermission Mailbox Server\Storage Group\Mailbox Database User BES Admin |fl
Mike
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2009 11:14am
Hello Mike,Usually we (as admins)never log into the mailbox after creating it. The mailbox is created and instructions are sent to the supervisor of that employee on how to setup Outlook. Also I have noticed no change to the mailbox permissions after it has been logged into.Before when creating a new mailbox you could check the "Full Access Permission" right after creatingit andSelf, Exchange Organizational Admin, and BESAdminwhere listed.I am working on the command you asked us to run and will share the results with you shortly...Eric
March 25th, 2009 6:03pm
Mike, Below is the results of the command you ask us to run:
User : DOMAIN\BESAdminIdentity : CLUSTERSERVER\SG1\DB1Deny : FalseAccessRights : {ExtendedRight}ExtendedRights : {Send-As}IsInherited : TrueProperties :ChildObjectTypes :InheritedObjectType :InheritanceType : All
User : DOMAIN\BESAdminIdentity : CLUSTERSERVER\SG1\DB1Deny : FalseAccessRights : {ExtendedRight}ExtendedRights : {Receive-As}IsInherited : TrueProperties :ChildObjectTypes :InheritedObjectType :InheritanceType : All
User : DOMAIN\BESAdminIdentity : CLUSTERSERVER\SG1\DB1Deny : FalseAccessRights : {ExtendedRight}ExtendedRights : {ms-Exch-Store-Admin}IsInherited : TrueProperties :ChildObjectTypes :InheritedObjectType :InheritanceType : AllThanks,Eric
Free Windows Admin Tool Kit Click here and download it now
March 25th, 2009 6:26pm
Hi Eric,
Thanks for your response.
I have local tested the issue on my lab. Nevertheless, I am not able to reproduce your issue
1. Add-adpermission to my mailbox database to have Receive-As permission
User : LAB\xiu
Identity : MB\First Storage Group\Mailbox Database
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {Receive-As}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
2. Create a new mailbox on the Mailbox Database. Then, run get-mailboxpermission to check the permission of the mailbox (no user has logged on the mailbox or send email to the mailbox)
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
lab.com/Users/jeff NT AUTHORITY\SELF {FullAccess, Rea... False False
3. Logon the mailbox or send a message to the mailbox, then run get-mailboxpermission to check the permission of the mailbox again
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
lab.com/Users/jeff NT AUTHORITY\SELF {FullAccess, Rea... False False
lab.com/Users/jeff LAB\xiu {FullAccess} True False
lab.com/Users/jeff LAB\MB$ {ReadPermission} True False
lab.com/Users/jeff LAB\Exchange Servers {FullAccess} True True
lab.com/Users/jeff LAB\Administrator {FullAccess} True True
lab.com/Users/jeff LAB\Domain Admins {FullAccess} True True
lab.com/Users/jeff LAB\Enterprise Ad... {FullAccess} True True
lab.com/Users/jeff LAB\Exchange Orga... {FullAccess} True True
lab.com/Users/jeff NT AUTHORITY\NETW... {ReadPermission} True False
lab.com/Users/jeff LAB\Exchange Servers {FullAccess} True False
lab.com/Users/jeff LAB\Exchange Publ... {ReadPermission} True False
lab.com/Users/jeff LAB\Administrator {FullAccess, Del... True False
lab.com/Users/jeff LAB\Exchange Servers {ReadPermission} True False
lab.com/Users/jeff LAB\Exchange Orga... {FullAccess, Del... True False
lab.com/Users/jeff LAB\Exchange View... {ReadPermission} True False
lab.com/Users/jeff LAB\Enterprise Ad... {FullAccess, Del... True False
lab.com/Users/jeff LAB\Domain Admins {FullAccess, Del... True False
Therefore, would you please let me know whether you created the new mailbox in the CLUSTERSERVER\SG1\DB1 database? In addition, whether you have attempted to send a message to the new mailbox or logon the new mailbox. If the issue persists, I suggest you restart the Information Store service and check the result again.
Mike
March 27th, 2009 6:29am
What is the time period in which it propigates, the issue i have is i need to create the mailbox then immediately start migrating, but the migrator account needs rights.I have set the permission at the mailbox database level. 2007 sp1
Free Windows Admin Tool Kit Click here and download it now
March 27th, 2009 1:25pm
Mike - You are correct, after sending a message the permissions did propagate. But this is a change from the way it was working. This will make it more difficult to setup a blackberry if the permissions are not inherited until the mailbox is in use.Do you have any idea how to get the permissions to propagate immediately?Eric
March 27th, 2009 3:41pm
Hi Eric,
I suggest you refer to following article:
Mailbox Rights for New Users Shows Only Self
http://support.microsoft.com/kb/272153/en-us
The permissions inheritance and the permissions will appear only after the creation of mailbox. The mailbox will be created only after we send an email to the mailbox or try to access the mailbox. This behavior occurs because the mailbox security descriptor is not read from the Active Directory account object until the user logs on or gets mail. The Recipient Update Service does not stamp the inherited permissions when the mailbox is created. After the mailbox is created in the store, the store calculates inherited mailbox rights.
Mike
Free Windows Admin Tool Kit Click here and download it now
March 30th, 2009 12:40pm
Mike,Thank you very much... Your help was greatly appretiated.Eric
March 30th, 2009 5:58pm