Manage Full Access Permission Error
Summary: 1 item(s). 0 succeeded, 1 failed. Elapsed time: 00:00:00
DFLCOS\user.name1
Failed
Error:Cannot remove ACE on object "CN=User Name2,OU=DOMAIN Users,DC=company,DC=com" for account "COMPANY\User.Name1" because it is not present.
Exchange Management Shell command attempted:Remove-MailboxPermission -Identity 'CN=User Name2,OU=DOMAIN Users,DC=company,DC=com' -User 'COMPANY\User.Name1' -InheritanceType 'All' -AccessRights 'FullAccess'
Elapsed Time: 00:00:00
Exchange 2007 SP1 running on Windows 2003 SP2
Situation: Post intraforest migration. Accounts were moved from The forest root domain to a new domain in the forest. The exchange server was also moved. As soon as the user accounts were moved (ADMT) all users with full access permission to another users mailbox was lost.
The account is displayed in the Security Principal list under the GUI Admin tool with the correct account name, but the icon is displayed as a user with a question mark over it. In the Shell is it displayed as shown in the above error message. I can only guess that this is the legacy SID that is not being translated correctly.
Unfortunately adding the user to a mailbox with full access permissions does not cleanup the second account, both are listed and the user cannot access the mailbox thay have full access to. Deleting the account causes the SID to be displayed, and can then be removed.
Anyone have any thoughts on this?
Thanks in advance.
June 4th, 2008 10:03pm
Hello Jeremy,
How are you?
You can validate if the SIDHistory is being migrated using AdsiEdit.msc and validating if the migrated user has any information in the SIDHistory attribute. Can you check this out?
If it has been replicated and you have a trust between two Windows Server 2003, you can run this command:
NETDOM TRUST trusting_domain /Domain:trusted_domain /EnableSIDHistory:yes
After that you should be able to access the access the mailbox withou giving any extra permission.
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2008 1:04am
Hi,
we have the same issue since the trust between our old and new domain was cut. Anything that can done to manage rights on our boxes now? I was not here at the time of the migration so I don't know how exactly it was done. But we do have sidhistory.
kind regards,
Rogier.
August 18th, 2008 11:57am
Anderson Patricio - MVP wrote:
Hello Jeremy,
How are you?
You can validate if the SIDHistory is being migrated using AdsiEdit.msc and validating if the migrated user has any information in the SIDHistory attribute. Can you check this out?
If it has been replicated and you have a trust between two Windows Server 2003, you can run this command:
NETDOM TRUST trusting_domain /Domain:trusted_domain /EnableSIDHistory:yes
After that you should be able to access the access the mailbox withou giving any extra permission.
HiI have a similar problem, i have a user (me!) that has full permissions to a mailbox, when i try to get rid - through either GUI or shell, i get the same error as aboveWe have done a migration too (with SIDHistrory) but we no longer have the trust in placeAny thoughts?CheersE
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2008 12:07pm
I have exactly the same problem on a few mailboxes. I cannot tell you if the migration has been done with SIDHistory, it was before my time but the trust is for sure not in place anymore, there's no Exchange 2003 Server in the organisation anymore.I want to rearrange the rights on Shared mailboxes with groups and transform them into Shared mailboxes but I have some users left with "Full Access" it is not clean and by the way some of these users shouldn't have any more rights to these mailboxes,Cheers$...
June 4th, 2009 6:42pm