First let me begin by explaining the setup. I have 2 Windows 2003 R2 Enterprise Edition SP2servers running Exchange 2003 EnterpriseEdition SP2in acluster with attached SAN.This is the new organization from 4standaloneExchange servers. All mailboxes have been moved, andall the older Exchange servers have been removed from the organization. We have no problemswith any of our mail flow. The problem lies with mailbox rights.I will try to explain this as best I can. We have2 administrator(one of which is myself) who can access any mailbox with no problems. 2 other administrators can add a mailboxes to their outlook profile but are unable to open them. In investigating, I found that they are listed in the users mailbox rights under "Exchange Advanced" tab in ADUnC, with the explicit DENY for Full Mailbox Access. I am unable to remove these administrators, even under Advanced, because the rights are being inherited from the parent. I checked at the security permissions at the Exchange Organization level and Delegate Control at the Exchange Organization level and these 2 administrators are not listed here. Just to make sure, in ADUnC, I checked the entire structure back to the domain level and they are not listed in any of the Security permissions. How can I remove these 2 administrators from all of the users mailbox rights? Is there another place that permissions to the mailbox are assigned? Any help would be greatly appreciated.

You'll have to use ADSI edit to remove the permission for the SG or DB level. You'll see that listed under the Configuration container, then services then microsfot exchange...keep drilling down like in regedit.

Okay.....Although I hate messing with ADSIEdit, I drilled downed through Configuration - Services - Microsoft Exchange - Organization - Administrative Groups - First Administrative Group - Servers - Servername - Information Store - Storage Group - to CN object (DB). Under Security tab I did find the 2 administrators and was able to delete them. I check the Security tab all the way back to the top and did not see the administrator anywhere else. When I recheck ADUnC,both on a DC and the Exchange server, I still see the 2 administrators listed. Is it going to take time for this to replicate the permission and changes made? And if so, any idea how long? This is not a must be done right now issue, so I can wait a day for replication to complete.

You may have to restart the info store service, sorry i can't recall exactly.

Don't worry about it.....I don't remember a lot myself, but now that you mention it, that sounds like a reasonable step to take.....Don't want to take the IS's offline in the middle of the day, so I might have to get back with you tomorrow about this when I restart the information stores.

Knightly, That worked and everything is fine.....I was just braindead there for a moment. I have 4 information stores to each of the 4 storage groups. Thus, I have to delete the administrators entries 16 times, and I had only gone through 1 Storage group when I wrote back. Everything looks good and the other administrators can access other users mailboxes. I am still going to cycle the information store services and MTA just to be on the safe side. Thanks for all of your help.