Managing PF permissions
Hello Friends,
First let me introduce my organizational structure to you all then ask the for the solution to my query.
We are running Exchange 2003 servers on Windows 2003 & Exchange 2007 on win 2003 in mixed mode. We have 4 PF servers which are of exchange 2007 on win 2003 and their replica over exchange 2003 PF servers running on win 2003. All PF are stored there as
we are in transition to 2007 completely. Once I have to give Author permissions to a user over a specified Public folder.
I ran PFDAVAdmin tool and navigated to that folder and tried adding the user and got error. Then I tried it for other users on same folder and same user on other folders too, but returned with same error (given below)
Then i tried to make o0ut the permissions from Exchange 2003 PF Server but there got the below error.
I checked out all exchange services, MAPI connectivity, replication and all things were fine. There were no suspected event ID as well. Also I tried to grant the permission to the user over that PF via shell command from Exchange 2007, which went successful.
I am wondering, that why is that the exchange 2003 PF servers as well as PFDAVAdmin tool is creating problem for us.
I have went through many articles over the web and didin't found any thing suitable for my situation. Apart from this what I noted that, the Microsoft Exchange SRS (site replication service) was DISABLED in exchange 2003 while the same was running on exchange
2007. Could this be the reason or what else I do have to get through for the same...
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23965191.html
Thanks !!!!
November 2nd, 2011 3:05pm
Why don't you logon as an Administrator in MS Outlook and assign the permissions to the users. I did it and it worked for me.
Give yourself Full permission first so next time you can add the users via your profile without logging on as the Adminsitrator.Where Technology Meets Talent
Free Windows Admin Tool Kit Click here and download it now
November 2nd, 2011 3:09pm
Yes, we can do it too, but I am finding that why it had not been through the procedure I was following. Though I had already done it through Shell command as said.
Thanks !!
November 2nd, 2011 3:12pm
I don't have test environment else I would have tried it.Where Technology Meets Talent
Free Windows Admin Tool Kit Click here and download it now
November 2nd, 2011 3:38pm
Friends,
Any more suggestions?
November 5th, 2011 8:23am
@Dev
1.Do you receive the error while adding the permissions on Exchange 2007 or Exchange 2003 PF Server?
2. Is this error only for a specific folder / user or it does not matter?
3. If this error is specific to a single folder, can you right-click the folder in PFDavadmin and do a "Check DACL state" and report back?
4. On the problem folder do you have any unresolved SID's?
5. In Pfdavadmin enable extended logging and post the log after you receive the error (remove user / server specific information while posting)
Free Windows Admin Tool Kit Click here and download it now
November 6th, 2011 9:35am
Hello Suresh,
I get this error while delegating permissions via PFDAVAdmin tool. All our PF Server are of Exchange 2007. But can't make out permissions from either PFDAVAdmin (connecting to exchange 2007 PF Server) nor exchange 2003 Server via AD (as posted
in my very first post with error screen shot). No the error is for each PFolder and any user. Sure I had no idea about DACL state, which I would look into and report back after the weekend.
But how unresolved SID may effect addition of any new user, and moreover every folder might not have it.
I would enable extended logging, but not sure that I would receive the error specified by you, as I use to get always "Unknown error (0X80005000)"
But then I am not able to get, how the permissions did worked from Exchange 2007 Shell command.
Thanks for the help.
November 6th, 2011 11:40am
Hello Dev,
Have you tried connecting to different public folder servers and domain controllers on PFDAVAdmin?Never stop learning
Free Windows Admin Tool Kit Click here and download it now
November 6th, 2011 3:08pm
Hello Friend,
Yes. I had tried connecting to different PF Servers and different DCs, at my first attempt, but no help.
November 7th, 2011 11:50am
Hello Suresh,
Please find the below DACL State for the sub folder on which permission is required.
I had also enabled extended logging before doing anything. Please find below logs.
==========================================================================================
Folder filter: (&)
https://PF_ServerName/ExAdmin/Admin/DOMAIN.COM/public%20folders/Connectivity%20Solutions/Chelmsford/Conference%20Room/ Missing Anonymous;
Operation complete.
==========================================================================================
Please let me know if I have to ADD "anonymous" to this sub folder. And if yes, then what permission should I set to it?
NOTE: The root folder's DACL State is "GOOD".
Thanks !!
Free Windows Admin Tool Kit Click here and download it now
November 8th, 2011 10:10am
Hello Suresh,
Is that safe enoufg to do the below action for the sub folder? Would this FIX this issue by repairing the DACL, as I am not able to add anonymous user to that sub folder.
Thanks !!
November 8th, 2011 11:57am
Dev,
Fix the DACL state , do not change the selections click Execute and once done wait for few minutes and try adding the user and report back.
Free Windows Admin Tool Kit Click here and download it now
November 8th, 2011 9:32pm
Suresh,
I am wondering if it won't change the existing user permissions over that particular folder.
Thanks again..
November 9th, 2011 4:05am
Dev,
it wont change the default permissions of the folder, you can do a screencap before fixing DACL.
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2011 4:06am
Thanks Suresh,
I done the same and it went fine. Post checking the DACL state, it shows "Good", still, I am not able to add any user to give the permission. Please refer the below provided screen capture.
Please help.... :(
November 9th, 2011 4:18am
Dev,
anything in the extended logging?
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2011 4:39am
Suresh,
Extended logging has logged only the below and nothing else.
====================================================================================================
Folder filter: (&)
https://ServerName/ExAdmin/Admin/DOMAIN.COM/public%20folders/Connectivity%20Solutions/Chelmsford/ DACL is good.
====================================================================================================
November 9th, 2011 4:46am
Suresh,
I found another log [folder permission logs] generated which might help you. Can you please assist me further?
======================================================================================================
<S:nt4_compatible_name>DOMAIN\aturff</S:nt4_compatible_name>
<S:ad_object_guid>{8fc98e7d-e063-476f-8c98-0fac32b6d972}</S:ad_object_guid>
<S:display_name>Turff, Ami [NETPWR/CONNSOL/UK]</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0">
<S:access_mask>dc910</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-1417001333-1682526488-839522115-344125</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\aturff</S:nt4_compatible_name>
<S:ad_object_guid>{8fc98e7d-e063-476f-8c98-0fac32b6d972}</S:ad_object_guid>
<S:display_name>Turff, Ami [NETPWR/CONNSOL/UK]</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0">
<S:access_mask>1fc9bf</S:access_mask>
<S:sid>
======================================================================================================
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2011 4:56am
Dev,
Please create a service ticket to troubleshoot the issue. we might need to collect some logs / tracing to track down the problem.
November 10th, 2011 1:48am
Any more suggestions friends???
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2011 4:45am