Windows Server 2008 R2 Thread, Exchange 2010 permissions issue in Technical; Hello All,
Right having a tricky issue with permissions on Exchange 2010. One of the users has access to a ...
27th April 2011, 09:45 AM #1
Exchange 2010 permissions issue
Right having a tricky issue with permissions on Exchange 2010. One of the users has access to a few other user's mailboxes. He has them added in Outlook and every few weeks will get errors saying he does not have access to them. The only way to solve it is to take off his access to the mailboxed then re-add them. This then works for a few weeks and then it all goes wrong again.
We have tried fully updating the server, installing Exchange 2010 SP1, and even the step of recreating the user's entire AD account and mailbox. The server is running server 2008 R2, along with two domain controllers also running 2008 R2.
Short of flattening it anyone got an idea?
27th April 2011, 10:34 AM #2
What's the Outlook version?
We had a similar problem with Outlook 2k7 and multiple mailboxes - especially high traffic ones, however since going to 2010 we've not had the same thing reoccur.
27th April 2011, 10:53 AM #3
Most people use Outlook 2003. however the issue does occur when trying to access alternative mailboxes via the OWA as well.
27th April 2011, 11:12 AM #4
1. Can you reproduce the issue or does this only happen after x weeks
2. If you give User A permissions to say User B and User C mailboxes, are you saying User A cannot access the mailbox again?
3. What type of acces are you granting? Full mailbox access or to individual default folder (inbox, calendar etc..)?
4. How is User A given access? Via Outlook or EMC?
5. Is User A a delegate for User B and C?
6. Is User A a member of a privledge group such as domain admin, account operators etc..
27th April 2011, 11:23 AM #5
Thankyou for the response.
1. We cannot force it to replicate the error, it happens after a seemingly random amount of time.
2. User A will have access to B and C mailboxes, he will regularly delve in as they are active, and then one day it will just stop working.
3. We are granting full mailbox access.
4. via the Exchange management console
6. he is a member of domain admin group.
27th April 2011, 11:33 AM #6
When it happens, have you tried running TCPView? TCPView for Windows
Once a certain number of tcp connections from one place have been initiated exchange will block future connections - so you should see a larger amount from affected clients.
Thanks to Domino from:
Potato-Peeler (27th April 2011)
27th April 2011, 12:23 PM #7
If User A is a member of a Domain admin group, this could be the cause. Privledges groups and account as domain admins, account operators, administrator are protected secuirty groups. They are part of SDHolder. By default these groups are denied permissions to mailboxes unless you have explicitly modified how SDHolder works.
However, saying that, SDHolder does not enforce after x weeks, the refresh is a lot quicker than minutes/hours.
Are you sure that it happens every x weeks?
As a test, I would remove user from domain admin, this isn't best practise, the reason for SDHolder.
Admin account used for admin purposes, give User A an normall account and give this new user account full mailbox permissions and test.
If this still an issue, then post back.
If you can wait, then maybe we can try and reproduce.
Thanks to sukh from:
Potato-Peeler (27th April 2011)
27th April 2011, 01:42 PM #8
Hey Guys, cheers for help so far. I have managed to get it fully working atm with both OWA and Office 2010. Although previously it hasent worked on OWA it is this time. Any ideas on how to make it work on the guys 2003 outlook?
27th April 2011, 02:12 PM #9
If the User A has full mailbox permission to User B and C, then regardless of what client (Outlook) User A uses, User A should be able to access the mailbox.
Are you trying to add as an additional mailbox?
27th April 2011, 02:20 PM #10
Yes we are trying to add as an additonal mailbox. However on two different machines with 2003 it is not working, and on OWA and 2010 it is.
27th April 2011, 02:45 PM #11
1. Are you able to add the additional mailbox or does that fail too?
2. If suceeds, what happens when you try to expand the mailbox for User B in Outlook?
3. Do you get any errors?
4. Is Outlook 2003 on the LAN? i.e are you connecting to Exchange 2010 on the LAN or are you usng OA?
5. Apart from the additional mailboxs to be opened (User B and C) can User A logon to Outlook 2003 and send/receive email?
6. Any reason why you want to use Outlook 2003?
27th April 2011, 02:50 PM #12
1. You can add it.
2. Unable to expand folders.
3. Says this set of folders can't be opened (If it wasnt for OWA and Outlook 2010 working would presume permissions knackered)
4. Both machines with outlook 2003 are on LAN. So is the attempt to access OWA and office 2010.
5. Everything else appears to work.
6. I hate it, our client refuses to move.
27th April 2011, 02:58 PM #13
1. Is this the same User who is a member of the Domain Admins group? If so, has he been removed?
2. Is Outlook 2003 fully patched
3. The same User who cannot open the additional mailboxes via Outlook 2003 can open the same mailboxes using Outlook 2010? right?
Last edited by sukh; 27th April 2011 at 03:15 PM.
27th April 2011, 03:35 PM #14
1. It is the same user, he has not come back from his meeting and is the chairman of the company so I am loathe to make changes to his account without permission.
2. Both Outlook 2003 setups are fully patched with sp3.
3. if it is the same user for both 2003 setups, OWA and 2010.
27th April 2011, 03:43 PM #15
By MaXiM in forum Windows Server 2008
Last Post: 7th March 2013, 08:12 PM
By Gardinho in forum Windows Server 2008 R2
Last Post: 25th March 2011, 05:20 PM
By jmair in forum Windows Server 2008 R2
Last Post: 22nd March 2011, 05:15 PM
By leco in forum Windows Server 2008 R2
Last Post: 11th May 2010, 05:47 PM
By RabbieBurns in forum Windows Server 2008 R2
Last Post: 24th November 2009, 09:09 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)