Mailbox permission don't work
We are having aproblem with full accesspermissions to othermailboxes.
I have delegated myself fullaccesspermission on several mailboxes and Ican only access some of the these.
I am attempting to access them via OWA.
Has anyone else experience this and what steps should I take to troubleshoot this prolblem.
Thank you
January 29th, 2009 9:15pm
Hi,
Did you try it from Outlook and check if that works ? Also run the following Powershell command to verify that the correct permissions are set:
Get-MailboxPermission -Identity "Mailboxname/Username" |fl
Regards,
Johanblog: www.johanveldhuis.nl
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2009 10:57pm
Hi Greg,Additionally, did you wait for some time after giving permission? It may take up to 2 hours to refresh the cache information on Information Store service, or you can restart the IS service but it affects to all the mailboxes on the server.Amit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
January 30th, 2009 8:06am
hi
check the Allow inheritable permissions check box is selected on the user object or on the OU container in Active Directory Users and Computers.
Open the Active Directory Users and Computers snap-in.On the View menu, click Advanced Features.Open the properties of a user who cannot log on to Outlook Web Access.Click the Security tab, and then click Advanced.Select the Allow inheritable permissions check box if it has not already been selected.Repeat steps 3 through 5 for each organizational unit between the user object and the top-level container.Allow time for replication to occur.
rgd, eknathrao
Free Windows Admin Tool Kit Click here and download it now
January 30th, 2009 4:48pm
Hi Greg,
Hows the issue now? Do everybodys suggestions work for you?
If not, please provide more info for analyzing the cause
Whats the error info when users tried to access shared mailbox?
Please describe the exactly procedure you used to set up the permission
February 2nd, 2009 5:46am
Hey Everyone and thanks for your replies. I am concerned that the permission in active directory me be incorrect however I have run that command on my account. BTW I am unable to access my account with Domain Administrator via OWA even if i enable full access for that account. When I run get mailbox perms I have some duplicate entries. We have sever entries which have Deny true when they should allowed. This is output from my account.Identity User AccessRights IsInherited Deny-------- ---- ------------ ----------- ----i-smma.com/Employ... NT AUTHORITY\SELF {FullAccess, SendAs, ReadPermission} False Falsei-smma.com/Employ... I-SMMA\grtexchange {FullAccess} True Truei-smma.com/Employ... I-SMMA\CAM35$ {ReadPermission} True Falsei-smma.com/Employ... I-SMMA\grtexchange {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True Falsei-smma.com/Employ... I-SMMA\Exchange S... {FullAccess} True Truei-smma.com/Employ... I-SMMA\Domain Admins {FullAccess} True Truei-smma.com/Employ... I-SMMA\Enterprise... {FullAccess} True Truei-smma.com/Employ... I-SMMA\dbexch {FullAccess} True Truei-smma.com/Employ... I-SMMA\Exchange O... {FullAccess} True Truei-smma.com/Employ... I-SMMA\administrator {FullAccess} True Truei-smma.com/Employ... I-SMMA\GoodAdmin {FullAccess} True Falsei-smma.com/Employ... I-SMMA\GoodLink C... {FullAccess} True Falsei-smma.com/Employ... I-SMMA\Exchange S... {FullAccess} True Falsei-smma.com/Employ... I-SMMA\Exchange D... {FullAccess} True Falsei-smma.com/Employ... I-SMMA\GoodLink C... {ReadPermission} True Falsei-smma.com/Employ... I-SMMA\GoodAdmin {ReadPermission} True Falsei-smma.com/Employ... I-SMMA\Exchange P... {ReadPermission} True Falsei-smma.com/Employ... NT AUTHORITY\NETW... {ReadPermission} True Falsei-smma.com/Employ... I-SMMA\Exchange D... {ReadPermission} True Falsei-smma.com/Employ... I-SMMA\Exchange S... {ReadPermission} True Falsei-smma.com/Employ... I-SMMA\Exchange V... {ReadPermission} True Falsei-smma.com/Employ... I-SMMA\dbexch {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True Falsei-smma.com/Employ... I-SMMA\Exchange O... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True Falsei-smma.com/Employ... I-SMMA\administrator {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True Falsei-smma.com/Employ... I-SMMA\Enterprise... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True Falsei-smma.com/Employ... I-SMMA\Domain Admins {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True FalseAnd I have waited many days for the cache to refresh. Thank you very much for your help!Greg
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2009 4:43am
Yes, thats not normal. Those built-in accounts shouldnt only have Full Access permission and duplicated.
Can you see those duplicated accounts via EMC? Have you tried to remove them, whats the result?
Do all problematic mailboxes have such symptom?
Does the issue only appear on several existing mailboxes? How about new created mailboxes?
Please try to remove duplicated accounts, and check the issue
February 3rd, 2009 7:31am
These accounts were migrated from exchange 2003 and i was not sure if I should remove duplicate entre.We have an accountcalled goodadmin which has explicit full access to all mailboxes formobile email access.I have attempted to log into mailboxes with this account and have found that it does not have access tosome accounts.From what i understand just because my account is a member of exchange organization administrators does not mean I will have access to the content of mailboxes... Correct? I guess I am having a hard time troubleshooting the problem and identifying the differences in these accounts.
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2009 4:36am