Re: Exchange 2003 - Giving a user full rights to read/write all ma
- From: Jamestechman <jamestechman@xxxxxxxxx>
- Date: Thu, 5 Jun 2008 13:21:26 -0700 (PDT)
Click the advanced tab when you go to the security tab of the mailbox
store. Then double click your service account that will have rights to
impersonate. Then you will see a new list of ACLs including the "Allow
Impersonation to Personal Exchange Information"
James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com
On Jun 5, 3:08 pm, BradC <Br...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Martin-
I don't think, that applies, because I am explicitly granting a new user the
permissions. That KB talkes about changes for old/existing users after
applying an update.
James-
That's the problem--it's not there. (When you say database, you mean either
mailbox store or public store, right?) I don't think I can post a screenshot
here, but I'll list the only permissions I have available to me in that
dialog:
Full Control
Read
Write
Execute
Delete
Read permissions
Change permissions
Take ownership
Create children
Delete children
List contents
Add/remove self
Read properties
Write properties
Delete tree
List object
Open mail send queue
Administer information store
Create named properties in the informati...
View information store status
Receive As
Send As
That's it. Actually, it seems to be the exact same list I see in the normal
security tab.
BradC
"Jamestechman" wrote:
The "Allow Impersonation to Personal Exchange Information" ACL is at
the database level. right click the database properties; security tab;
advanced; highlight your sevice account and double click. You should
see that "Allow Impersonation to Personal Exchange Information"
James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com
On Jun 5, 11:40 am, BradC <Br...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I'm having some trouble getting some third-party calendar/contact synch
software configured, and while their support team hasn't been much help, I
think I have narrowed it down to an Exchange permissions issue with the user
the sync software is using to talk to Exhange. I need to get a user
configured with the right permissions that will be able to read/write all
Exchange mailboxes from a second server.
Our configuration:
Box 1: Exchange 2003 SP2 (Native Mode) on a Windows 2003 SP2 domain controller
Box 2: Windows 2003 SP2 application server running the sync software, with
ExchangeMapiCDO installed for MAPI connectivity.
Tried using the domain administrator:
I know that using a domain administrator is a problem because the Domain
Admins group (and the Enterprise Admins group) are explicitly denied
permissions on all mailboxes except his own. (Can see this under the
permissions for the Mailbox Store in System Manager). This seems to be
confirmed by what I see when I try to set up a new link in the sync
software--I can see the names of all the mailboxes, but I can only expand the
"administrator" mailbox to see the subfolders.
Also tried a new user:
So I tried to add another domain user (with its own mailbox), and grant it
full permissions on the Mailbox Store according to the install guide for the
third-party software, but that didn't seem to work either. In this case, I
couldn't even do a preliminary connection to the Exchange Server. (error
message was "IMsgServiceAdmin::ConfigureMsgService failed: WSAECONNRESET", if
that means anything to anybody).
So here are my questions:
1. I COULD just try to remove the explicit "Deny" permission for the Domain
Admins and Enterprise Admins, and use my domain administrator account. This
would involve unchecking the little "allow inheritable permissions" box on
the mailbox store, and then altering the permissions on these groups. Is this
a bad idea? Would this have other nasty side-effects or open security
vulnerabilities? Would this be the easiest way to get this working? If I
uncheck this "allow inheritable permissions" to test it, could I re-check it
again later to return it to its original state?
2. As I mentioned above, I tried creating another user (not a domain admin),
and directly assigning the appropriate Exchange rights, but that didn't seem
to work. Started by assigned only the Mailbox Store permissions listed in the
documentation, later tried full permissions to the Mailbox Store, and then
even applied full permissions to the Exhange Server properties in System
Manager. The support team for the third-party software talked about making
sure this user has "local administrative rights" on the Exchange server, but
because Exchange is on a domain controller, it doesn't have those options.
And, of course, if I put this user in the Domain Admins group, I'm in the
same situation as #1 above! Any way to resolve this dilemma? What permissions
would this new user need to do what it needs to do?
3. The sparse third-party documentation gives a list of permissions to
assign to the user in the Mailbox Store, including (among many others)
SendAs, ReceiveAs, Read, Write, and "Allow Impersonation to Personal Exchange
Information". But this last one (Allow Impersonation) doesn't appear in the
permission list on my server!? Is there something weirdly mis-configured? Is
this a consequence of Exchange being on a domain controller? Is there some
global server setting that needs to be set for this to be available? Does it
matter? Would assigning "Full Control" cover this anyway?
Sorry for the length, but wanted you to know what I'd already tried. Any
ideas would be of great help. Thanks!!
BradC- Hide quoted text -
- Show quoted text -
.
- Follow-Ups:
- References:
- Prev by Date: Re: Exchange 2007 ANTISPAM
- Next by Date: Attachements lose extension from Mac osx
- Previous by thread: Re: Exchange 2003 - Giving a user full rights to read/write all ma
- Next by thread: Re: Exchange 2003 - Giving a user full rights to read/write all ma
- Index(es):
Relevant Pages
|
