Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Exchange Server 2007 admin rights for user mailboxes

25 views
Skip to first unread message

Max C

unread,
Apr 25, 2007, 10:36:02 AM4/25/07
to
I just completed a grueling migration from Exchange 5.5 to 2007. I
have most of the kinks worked out, but there's still the issue of
logging in to user mailboxes. Here's the deal:

We're a company of about 150 users. Any time a user is out sick, I get
an email from their supervisor requesting that I log in to their
mailbox, forward any unread email to another user and then turn on out
of office and set it to auto forward future emails to the same user
that received the unread emails.

It's an OK system, and I'd *like* the ability to continue doing that,
but as most of you probably already know, admin rights to user
mailboxes went away starting with some previous version of Exchange
that was newer than 5.5. So, I have 2 questions:

1 - Is there a way to get those rights back to log in to the users
mailboxes?

2 - Is there a better way to accomplish my goal... such as assigning
each manager rights to their employees' mailboxes and letting them
take care of setting up Out of Office themselves?

How do you handles this situation? Any and all suggestions
appreciated.

Max.

Max C

unread,
Apr 25, 2007, 10:36:13 AM4/25/07
to

How do you handle this situation? Any and all suggestions
appreciated.

Max.

Peter Lawton

unread,
Apr 25, 2007, 11:48:39 AM4/25/07
to
This is probably what you want to continue doing it the way you have been:-

http://technet.microsoft.com/en-us/library/aa996343.aspx

Peter Lawton

"Max C" <max...@gmail.com> wrote in message
news:1177511772.8...@r30g2000prh.googlegroups.com...

Max C

unread,
Apr 26, 2007, 9:40:29 AM4/26/07
to
Hi Peter. Thanks for the response. You're right. That *is* what I
want to do. I had found that exact page yesterday after posting my
question here. The problem is, when I perform the Add-ADPermission
function, I get an error that says "The operation could not be
performed because object <mailbox database> could not be found on
domain controller <my DC>

I've tried several ways to refer to the mailbox database. I get the
same error every time. I know that this Exchange Server is
communicating with Active Directory because it can read all of my
users' information. DNS also seems to be working fine.

I'm coming from an Exchange 5.5 environment straight into Exchange
2007, so I have a huge learning curve ahead of me... but it almost
seems to me that there is supposed to be a reference of the mailbox
database in Active Directory that doesn't exist. Either that, or I
just don't know where to find it. I've looked all through AD Users
and Computers and AD Sites and Services. I can't seem to find any
reference.

During the brief 1 day that I had Exchange 2003 online, I *did* notice
that just about everything was in AD. I don't know why MS moved away
from that model.

At any rate, thanks for taking the time to reply.

Max.

On Apr 25, 10:48 am, "Peter Lawton" <nob...@dummy.domain> wrote:
> This is probably what you want to continue doing it the way you have been:-
>
> http://technet.microsoft.com/en-us/library/aa996343.aspx
>
> Peter Lawton
>

> "Max C" <maxc...@gmail.com> wrote in message

Peter Lawton

unread,
Apr 26, 2007, 12:36:48 PM4/26/07
to
I think I used something like:-

Add-ADPermission -Identity "First Storage Group" -User "domain
admins" -ExtendedRights Receive-As

But I can't remember exactly I'm afraid I'm sorry

Peter Lawton

"Max C" <max...@gmail.com> wrote in message

news:1177594829....@n35g2000prd.googlegroups.com...

Max C

unread,
Apr 26, 2007, 5:45:04 PM4/26/07
to
Hi Peter. Yeah, I tried it that way too. I get a different error
message when I use "First Storage Group." I forgot about that when I
last posted. That error says:

"The operation could not be performed because "First Storage Group"
matches multiple entries." I tried specifying by using "<exchange
server name>\first storage group" but that gave me the original error.

I feel like I need to learn how to specify the exact name of the
database I'm trying to edit, but documentation for this seems
impossible to find.

Thanks again.
Max.

On Apr 26, 11:36 am, "Peter Lawton" <nob...@dummy.domain> wrote:
> I think I used something like:-
>
> Add-ADPermission -Identity "First Storage Group" -User "domain
> admins" -ExtendedRights Receive-As
>
> But I can't remember exactly I'm afraid I'm sorry
>
> Peter Lawton
>

Max C

unread,
Apr 27, 2007, 10:06:08 AM4/27/07
to
OK, well I finally found a way to do what I wanted to do. It's not
pretty, and it completely circumvents the security MS wanted to be
there to disallow admins from doing things in others' mailboxes, but I
can do my job again, which is all that matters to me. Here's the
scoop:

First, install the ADSI Editor from your Windows Server CD.
http://technet2.microsoft.com/windowsserver/en/library/ebca3324-5427-471a-bc19-9aa1decd3d401033.mspx?mfr=true

Next, open adsiedit.msc and drill down as follows:

Expand CN=Configuration,DC=example,DC=com, expand CN=Services, expand
CN=Microsoft Exchange, and then expand CN=OrganizationName (where
OrganizationName is the name of your Exchange organization).
Expand Administrative Groups (if administrative groups are enabled),
expand your administrative group (for example, expand CN=First
Administrative Group), expand CN=Servers, expand CN=ExchangeServerName
(where ExchangeServerName is the name of your Exchange server), expand
CN=InformationStore, and then click CN=StorageGroupName (where
StorageGroupName is the name of the storage group that hosts the
database that you want to move.

(Above info found at http://support.microsoft.com/kb/822676)

In the right pane, you should see the mailbox database object. Double
click on it. In the Mailbox Database properties window, click the
Security tab. In the security tab, you'll see a lot of security
groups. Some of them will be Domain Admins, Enterprise admins, etc.
The admin groups that once had the ability to alter all mailboxes now
have specific "Deny" attributes set. This is where you get rid of
those.

Select the security object you want to grant rights to (like domain
admins) and click on the Advanced button. In the Advanced Security
Settings window, uncheck the box to Inherit permissions from the
parent. Accept the conditions of this actions in the pop up window.
Now go through and Remove all of the Deny permissions and click OK.
You may get a warning message about changing X number of permissions.
Click OK. Back at the security window, make sure the security group
you just edited has Full Control rights set to Allow. Click OK and
then sync your domain servers.

After I did that, I noticed that some users' mailboxes would open for
me in Outlook and some would not. It turns out that the problem was
that I had created profiles for some users in Outlook before my
Exchange server upgrade. When I'd click File / Open / Other User's
Folder apparently Outlook was trying to use something from those
profiles to open the folder and would tell me that the mailbox could
not be found. After I went in and deleted the profiles of the users I
couldn't access I could immediately access their mailbox.

It took me almost a week to piece this information together. I hope
it helps someone. If it helps you, shoot me an email to let me know.

Max.
max...@gmail.com

Peter Lawton

unread,
Apr 27, 2007, 12:14:16 PM4/27/07
to
Well done, that is very useful :)

Many thanks

Peter

"Max C" <max...@gmail.com> wrote in message

news:1177682768....@c18g2000prb.googlegroups.com...

0 new messages