Re: Error "The information store could not be opened." when openin

From my practice, MAPI do not return FAIL, when you log on to Exchange
Server without missing rights. So, for the user A, who do not have
appropriates rights to mailbox B owned from user B, the process can execute
successfully the Session.Logon, but when some Open function is called, its
FAIL..

What I do:

I call LogonUser or similar function

I call explicitly ImpersonateLoggedOnUser

I call explicitly Load user Hive

I call explicitly call CoInitialize

I call Session.Logon

I do what I need

Then

I call in reverse order the above corresponding functions:



Maybe I do some mistakes, but for the past 12-15 years, this work for me :)



"Ard" <Ard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:29775BE5-7EE0-4DF3-8131-5D2881FB8A49@xxxxxxxxxxxxxxxx
However, the process is running as that user, so if I'm not mistaken its
not
actually impersonating.

I did grant additional permissions to %windir% as suggested in one of the
related articles, but this did not solve the problem.
IMO this makes sense because creation of the profile does not seem to be
the
problem. (I guess this is created when "logon" is called.) The problem
occurs
when opening the inbox. And I can't figure out what permissions are needed
to
open a inbox by using the script.

Regards,
Ard


"info_at_imibo_dot_com" wrote:

Are the schedule script runs under the same account as "accountname"
(from
your script) ?

Excellent article about permissions and impersonation you can find at :

http://blogs.msdn.com/stephen_griffin/archive/2005/04/13/mapi-and-impersonation.aspx

There maybe you can find answer way your scripts do not work.






"Ard" <Ard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:353D07EA-7818-47B0-9C3D-67290813E5D1@xxxxxxxxxxxxxxxx
That was also my best guess: a permission issue.
But I just can't figure out permissions on what

Any ideas?

Regards,
Ard

"info_at_imibo_dot_com" wrote:

User Rights and impersonation. Logged on user, i.e. interactive user
maybe
not hold rights to open inbox folder. Also if nobody is logged on, you
do
not have interactive user. Schedule script should be run under some
account.
Check permissions and rights.





"Ard" <Ard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AEEB1F55-7023-4DE8-912C-0AA16A480D83@xxxxxxxxxxxxxxxx
The errors occur in both situations:
- when I run the script when logged on to the sever under the
account
- when the script is run from the scheduled task when a different
user
is
logged on

What are the differences between both scenarios?

Regards,
Ard

"info_at_imibo_dot_com" wrote:

Are the error appearing and when somebody is logged on the
workstation,
specially owner of "accountname"?

As I read, this is schedule process, and I assume that you trying
to
run
it
when nobody is logged on workstation? Is it true?



"Ard" <Ard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:16390E89-55E8-4F5E-8ECA-6E7467F67574@xxxxxxxxxxxxxxxx
No

(BTW: thanks for your time and effort!)

Regards,
Ard

"Dmitry Streblechenko" wrote:

Do you have Exchange Server on the same machine?

Dmitry Streblechenko (MVP)
http://www.dimastr.com/
OutlookSpy - Outlook, CDO
and MAPI Developer Tool

"Ard" <Ard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:04D0DA80-9435-4FDD-AEB4-72DE9FC811EF@xxxxxxxxxxxxxxxx
Yes I can. with exactly the exchangeserver and accountname
that I
use
in
the
logon line.

Regards,
Ard van Kessel


"Dmitry Streblechenko" wrote:

While still logged in as that mailblox owner, can you create
a
profile
that
poinst to that mailbox and use it from Outlook?

Dmitry Streblechenko (MVP)
http://www.dimastr.com/
OutlookSpy - Outlook, CDO
and MAPI Developer Tool

"Ard" <Ard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CEF6EF77-505B-461D-9E25-B5800420AFBC@xxxxxxxxxxxxxxxx
That's an interesting test.

When I log on to the server with the domain account (the
same
account
that's
used in the objsession.Logon line) and run the code
directly
it
results
in
the same error, so no it does not work. Not even when I add
the
domain
account to the local administrators group.

Regards,
Ard van Kessel

"Dmitry Streblechenko" wrote:

Does your code run Ok when running under the same user
identity
as
the
one
specified in the call to objSession.Logon?

Dmitry Streblechenko (MVP)
http://www.dimastr.com/
OutlookSpy - Outlook, CDO
and MAPI Developer Tool

"Ard" <Ard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:900D481F-C400-4816-9306-EA4403EA7045@xxxxxxxxxxxxxxxx
I have this code in a vbs file on my win2003 server with
outlook
2003
installed:

Dim objSession 'As Object
Set objSession = CreateObject ("MAPI.Session")
objSession.Logon "", "", False, True, 0, True,
"exchangeserver" &
vbLf
&
"accountname"
Set objInbox = objSession.Inbox
Set objSession = Nothing

This vbs file is called from a scheduled task that runs
as
a
domain
account
that:
- is member of the local users group
- is member of the remote desktop users group
- has log on locally, log on as a batch job and log on
as a
service
permissions
- has read&execute permissions on the vbs file

To check permissions I logged on to the server with the
domain
account
using
remote desktop and started the vbs file: no problem. I
also
opened
outlook:
no problem sending / receiving mail.

However when the scheduled task runs, an error is thrown
on the line "Set objInbox = objSession.Inbox".

The error is: "The information store could not be
opened.
[MAPI
1.0 -
[MAPI_E_LOGON_FAILED(80040111)]]"

This happens unless:
- the account has a remote desktop session to the server
or
- the domain account is added to the local
administrators
groups
For obvious reasons, these two "solutions" are not very
helpful.

Can anyone help me to make this code work properly?
Am I missing any required permissions or settings?





















.

Relevant Pages

  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... Restricted Admins group to mitigate against what you propose Deji. ... also need to make sure the DAs in question cannot elevate their rights to EA, ... > By adding the Deny Write Permissions ACE, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Prevent changes to Administrator password
    ... * This posting is provided "AS IS" with no warranties and confers no rights! ... his/her account from the Restricted Admin group and clears the flag? ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Error "The information store could not be opened." when openin
    ... But I just can't figure out permissions on what ... Schedule script should be run under some account. ... "Dmitry Streblechenko" wrote: ... OutlookSpy - Outlook, CDO ...
    (microsoft.public.win32.programmer.messaging)
  • Re: AD User Objects & Permission Inheritance
    ... I went ahead and granted the Account Operators built in group rights on the adminSDholder object according to what I want the OU admins to have. ... I went ahead and enabled inheritance on the> adminSDholder object to verify that this indeed was the cause and 60> minutes ... > later all user objects began to inherit permissions again. ...
    (microsoft.public.win2000.active_directory)