msExchMailboxSecurityDescriptor and inherited rights

I have a question regarding the msExchMailboxSecurityDescriptor attribute.
We have an application that is going to take care of enabling single-sign-on
for an environment. To do this, the account used by the application needs
the ability to grant the Full Mailbox Access and Associated External Account
rights to a mailbox. Within Exchange System Manager, at the Administrative
group level, I have granted this account (I'll call it the SSOAccount) a
variety of permissions, one of which is the 'Change Permissions' right, and
these rights are inherited throughout the Exchange organization.

To test that the necessary permissions are in place, I've been using the
SSOAccount to run ADUC and go in and manually assign an account the Ext
Assoc. Acct and Full Mbox rights. What I've noticed is that sometimes this
works fine and sometimes instead I receive an 'Access is Denied' error
message.


From within ADUC, When you look at an account's Mailbox Permissions, you can
see that the SSOAccount is inheriting the 'Change Permissions' right on the
mailbox. However, when I use adfind.exe (from www.joeware.net) to export
the actual msExchangeMailboxSecurityDescriptor then it doesn't reflect that
SSOAccount has the Change Permissions right. If I *first* use my own
account (i.e. Exchange Admin account) to go in and assign SSO rights to a
mailbox - afterwards when I look at the msExchMailboxSecurityDescriptor it
*then* reflects that SSOAccount has the Change Permissions right on the
mailbox and I'm able to from then on perform SSO operations against that
mailbox with the SSOaccount without problems. It's as though by touching
the mailbox with an Admin account, I'm able to cause the propogation of the
inherited rights to get written to the msExchMailboxSecurityDescriptor.


So it appears that though from an AD perspective the proper rights are
inherited on the mailbox object, the rights aren't actually propogating down
to a mailbox until an Exchange Admin account touches them. How can I force
the rights to propogate to the Mailbox/Info.Store without having to touch
every single mailbox with an ExchAdmin account?




.

Relevant Pages

  • Re: Send On Behalf
    ... send messages from a mailbox and if you want the messages ... this without touching the Mailbox Rights or Security tab settings. ... Exchange documentation. ... I> think our next move is going to be to delete the> uncooperative account and recreate it. ...
    (microsoft.public.exchange2000.admin)
  • Re: Restrict calendar views
    ... In the folder rights, no account needs to be present in the list if it ... There's no "deny" there, ... In Mailbox Rights, the right that matters for what you're seeing is "Full ...
    (microsoft.public.exchange.admin)
  • Re: No Permission to Use My Own Account to send Emails
    ... My own account is A. I added another account B into Outlook. ... > If you grant a user "Send As" permissions for another user's ... > mailbox, the can send mail as the ... > This posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.exchange2000.general)
  • Re: No Permission to Use My Own Account to send Emails
    ... I have already added the permission to the appropriate users on mailbox ... There is no permission called Send or Receive ... > receive as rights to the mailbox. ... > associated account in active directory users and computers. ...
    (microsoft.public.exchange2000.general)
  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)