Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Setup /PrepareLegacyPermissions permitts wrong group in multi doma

56 views
Skip to first unread message

ClemensBe

unread,
Jul 1, 2008, 6:28:01 AM7/1/08
to
Following environment:
root-domain: fsmo-roles, one DC 64bit for Exchange Setup
company-domain: user objects, uninstalled ADC E2k3 Server
server.company-subdomain: computer objects, E2k3 Server Cluster
special.company-subdomain: computer objects
production.compnay-subdomain: computer objects

sites: office (2 GC, 1 DC of each domain except production), production (1
GC of company domain, 2GC, 1DC of production) separated by a firewall

After Setup /PL for all domains (except production) we got the strange right
for the domain object in the compnay domain (all other are okay). The
Exchange Enterprise Servers (EES), which is domain local was added with the
special access for Exchange Information not form the company domain but from
the server.company subdomain. So all users were missing rights for the
company EES (i.e.: read and write alias). After going to advanced and
changing the Group fom servers.company\EES to company\EES i got the read
alias right, but there are compared to the other subdomains and the root
domain many rights missing. In the ExchangeSetup.Log it is shown this wrong
EES was selected so that I presume that there is an error in the Powershell
script for the pl option (tested sp1 and rtm version).
Anyone who experienced the same?
Anyone knowing how to set the "Special Access for Exchange Information"
rights with dsacls?

thanks

-clem

unread,
Jul 1, 2008, 6:36:01 AM7/1/08
to
additional info:
for the company domain we get MSExchangeAL 8317, 8168, 8022, 8270
for all other domains everthing okay, RUS is running (checked with
user-objects)

-clem

unread,
Jul 1, 2008, 8:25:02 AM7/1/08
to
To solve the Problem I executed manually what setup /bl is doing for each
domain (could verify that for the other domains):

dsacls "dc=company,dc=local" /I:T /G "company\Exchange Enterprise
Servers":WP;"Exchange Information"

dsacls "cn=AdminSDHolder,cn=system,dc=company,dc=local" /I:T /G
"company\Exchange Enterprise Servers":RPWP;"Exchange Information"

dsacls "cn=ExOrg,cn=Microsoft
Exchange,cn=Services,cn=Configuration,dc=root,dc=local" /I:T /G
"company\Exchange Domain Servers":WP;"Exchange Information"

Obviously you have to replace company by your Domain and exorg by your
Exchange Organisation Name Values!

For further information see:
http://technet.microsoft.com/en-us/library/bb288907.aspx, ExchangeSetup.log
and the rights.ldf file in setup\data.
Look there for 1F298A89-DE98-47b8-B5CD-572AD53D267E = "Exchange Information"

0 new messages