Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

EX2K7 OWA

544 views
Skip to first unread message

DavidK

unread,
Oct 2, 2007, 4:20:03 PM10/2/07
to
I am running a EX2003 enviornment with EX2K7 installed in to it. I have
created a CAS server. If I create a new user and put it on the ex2k7 server
then it is fine for OWA. But I have moved my mailbox over to the new ex2k7
server and the OWA says I have insuffiencient permissions to AD.
error:
Exception
Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: There was a problem accessing Active Directory.
Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

What is missing. or where. I am a full exchange admin, but I am missing some
permissions in AD somewhere.

need some help
thanks.


Ed Crowley [MVP]

unread,
Oct 2, 2007, 4:39:40 PM10/2/07
to
How did you move the mailbox?
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"DavidK" <Dav...@discussions.microsoft.com> wrote in message
news:4F3A0BC0-A2FD-4EF5...@microsoft.com...

Neil Hobson [MVP]

unread,
Oct 2, 2007, 4:51:12 PM10/2/07
to
I bet that your user account is/was an administrator account, or a member of
domain admins, etc. Would that be right?

--
Neil Hobson
Exchange MVP
http://www.msexchange.org/Neil_Hobson/
http://www.msexchangeblog.com


"DavidK" <Dav...@discussions.microsoft.com> wrote in message
news:4F3A0BC0-A2FD-4EF5...@microsoft.com...

DavidK

unread,
Oct 2, 2007, 5:18:00 PM10/2/07
to
No, it is not checked. I am checking with the ADUC not anything in the EX2007
Mgmt Con.

"Neil Hobson [MVP]" wrote:

> OK, but can you check something for me. Bring up the properties of your
> user account in ADUC, go to the Security tab, click the Advanced button, and
> see if the 'allow inheritable permissions....' check box is selected?


>
> --
> Neil Hobson
> Exchange MVP
> http://www.msexchange.org/Neil_Hobson/
> http://www.msexchangeblog.com
>
>
> "DavidK" <Dav...@discussions.microsoft.com> wrote in message

> news:006323AF-EC95-44AF...@microsoft.com...
> > No, my accont is not a domain admin, but my account is an exchange full
> > admin. I should stil have full permission to my own mailbox.

DavidK

unread,
Oct 2, 2007, 5:03:00 PM10/2/07
to
No, my accont is not a domain admin, but my account is an exchange full
admin. I should stil have full permission to my own mailbox.

DavidK

unread,
Oct 2, 2007, 5:02:00 PM10/2/07
to
I moved the mailbox with the Exchange 2007 Management Console logged in to it
with a Exchange Full Admin account which is not a domain admin.
I am not a member of the Domain admins.

Neil Hobson [MVP]

unread,
Oct 2, 2007, 5:09:50 PM10/2/07
to
OK, but can you check something for me. Bring up the properties of your
user account in ADUC, go to the Security tab, click the Advanced button, and
see if the 'allow inheritable permissions....' check box is selected?

--

Neil Hobson
Exchange MVP
http://www.msexchange.org/Neil_Hobson/
http://www.msexchangeblog.com


"DavidK" <Dav...@discussions.microsoft.com> wrote in message

news:006323AF-EC95-44AF...@microsoft.com...

Neil Hobson [MVP]

unread,
Oct 2, 2007, 5:20:12 PM10/2/07
to
That's likely the problem then. Check that box and OWA should work once
things settle down. That check box can be de-selected automatically if your
account was *ever* an administrator account, or perhaps it was de-selected
manually.

--
Neil Hobson
Exchange MVP
http://www.msexchange.org/Neil_Hobson/
http://www.msexchangeblog.com


"DavidK" <Dav...@discussions.microsoft.com> wrote in message

news:7725E3EE-337A-4E9F...@microsoft.com...

DavidK

unread,
Oct 2, 2007, 5:31:02 PM10/2/07
to
So if I moved another persons mailbox, and it is not checked there either.
how can I tell why it was unchecked. should everyone's (regular users and the
such) box be checked?

DavidK

unread,
Oct 2, 2007, 5:35:03 PM10/2/07
to
Checking that box actually worked. so I know when moving people from 2003 to
2007, I need to use the management console. I login using a Full EXchange
Admin account, but that login is not a full domain admin. it is a member of
the Exchange groups and Enterprise Admins, but not a domain admin. any
problems you forsee?

And thanks for your fast help.

Neil Hobson [MVP]

unread,
Oct 2, 2007, 5:41:11 PM10/2/07
to
It's removed for members of domain admins, etc, to stop elevation of
privilege attacks. A security feature. :)

It should be selected for ordinary user accounts. Either your account was
once an admin account, or that check box was removed manually or by some
other process. Even if your account was an admin account for a few hours a
few years ago, that could have been enough to strip the setting. It won't
be put back automatically as far as I know.

--
Neil Hobson
Exchange MVP
http://www.msexchange.org/Neil_Hobson/
http://www.msexchangeblog.com


"DavidK" <Dav...@discussions.microsoft.com> wrote in message

news:CE24C00F-B93A-48D9...@microsoft.com...

Neil Hobson [MVP]

unread,
Oct 2, 2007, 5:44:24 PM10/2/07
to
You might need to be a member of the local admins group on both source and
target servers as well. Check it - it'll either work or fail.

--
Neil Hobson
Exchange MVP
http://www.msexchange.org/Neil_Hobson/
http://www.msexchangeblog.com


"DavidK" <Dav...@discussions.microsoft.com> wrote in message

news:EED4B6DB-4346-40DF...@microsoft.com...

0 new messages