Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Exchange 2007 Permissions

209 views
Skip to first unread message

EXCH2k7Admin

unread,
Oct 13, 2008, 7:12:04 PM10/13/08
to
Hello,

I am trying to give "domain admins" permissions to all mailboxes. I added
Send-as, receive-as and info store at the mailbox store level and have the
following problem. All but one domain admin account works. The inherited
denies for my problemaccount are explicitly granted at the mailboxstore
level with DomainAdmins.

Permissions are as follow,

[PS] C:\Documents and Settings\XXXX\Desktop>Get-MailboxDatabase |
Get-ADPermission -user "DOMAINNAME\PROBLEMACCOUNT"

Identity User Deny Inherited Rights
-------- ---- ---- --------- ------
SERVER\First ... DOMAINNAME\PROBLEMACCOUNT False False GenericAll
SERVER\First ... DOMAINNAME\PROBLEMACCOUNT True True Receive-As
SERVER\First ... DOMAINNAME\PROBLEMACCOUNT True True Send-As
SERVER\First ... DOMAINNAME\PROBLEMACCOUNT False True GenericAll


[PS] C:\Documents and Settings\XXXX\Desktop>Get-MailboxDatabase |
Get-ADPermission -user "DOMAINNAME\domain admins"

Identity User Deny Inherited Rights
-------- ---- ---- --------- ------
SERVER\First ... DOMAINNAME\Domain Admins False False
ms-Exch-Store-Admin
SERVER\First ... DOMAINNAME\Domain Admins False False Receive-As
SERVER\First ... DOMAINNAME\Domain Admins False False Send-As
SERVER\First ... DOMAINNAME\Domain Admins True True Receive-As
SERVER\First ... DOMAINNAME\Domain Admins True True
ms-Exch-Store-Transport-Access
SERVER\First ... DOMAINNAME\Domain Admins True True
ms-Exch-Store-Constrained-Delegation
SERVER\First ... DOMAINNAME\Domain Admins True True
ms-Exch-Store-Read-Access
SERVER\First ... DOMAINNAME\Domain Admins True True
ms-Exch-Store-Read-Write-Access
SERVER\First ... DOMAINNAME\Domain Admins True True
ms-Exch-EPI-Impersonation
SERVER\First ... DOMAINNAME\Domain Admins True True
ms-Exch-EPI-Token-Serialization
SERVER\First ... DOMAINNAME\Domain Admins True True Send-As
SERVER\First ... DOMAINNAME\Domain Admins False True CreateChild, Self,
WriteProperty, ExtendedRight, Delete, G...

Thanks in advance,

GH


Jamestechman

unread,
Oct 14, 2008, 4:15:26 PM10/14/08
to
You need to find out where the inheritance for the deny is coming
from; use adsiedit and start up from the database level moving all the
way up to the org level to find out where the deny is starting from.
If you are unfamilar with adsiedit; please post.


James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com

EXCH2k7Admin

unread,
Oct 14, 2008, 5:40:20 PM10/14/08
to
it's coming from the ORG. But shouldn't the explicit allow override this
setting? It works for any other account that I test, just not this one.

Thanks,

"Jamestechman" <jamest...@gmail.com> wrote in message
news:14724c8d-9659-418c...@c36g2000prc.googlegroups.com...

0 new messages