KB317234 CDOEXM rights issue

From: Tim Delaney (TDArea51_at_novell.com)
Date: 04/27/04 

Date: Tue, 27 Apr 2004 09:25:40 -0600

KB317234: XADM: The CDOEXM IMailboxStore::CreateMailbox() or
IMailboxStore::MoveMailbox() Method Fails
(http://support.microsoft.com/default.aspx?scid=kb;en-us;317234).

This article is confusing. I use the method described in the article to
create exchange mailboxes and it works for me.

The article states that "The CreateMailbox() method fails with an access
denied error when the application is not run under the domain/Exchange
Administrator account." But there is no Exchange Administrator account. I
want to create my own account for my back-end service so that I am not
affected by password changes on accounts used for logon by administrators.

Then it says that the problem is "This requires local logon rights for the
Administrator account for which credentials are passed". This I can handle.
Is this in fact the only problem we are trying to solve?

But then it ends up with the work-around: "To work around this problem, run
the code under a context that is a local Administrator on the Exchange 2000
server". Um, just a second ago I needed to be the Exchange Administrator. Do
I need to be local administrator or will a smaller set of rights and
permissions work?

What are the real requirements for making this call successfully? What
rights and permissions are needed? Is it Okay to pass in account credentials
(for instance, using objOpenDSO.OpenDSObject) or do I have to impersonate
the account before the CDOEXM calls? Is it thread-level impersonation or
process-level impersonation? If CDOEXM does its own impersonation, does it
revert to the identity I had when making the call, or RevertToSelf, which
gives me the process identity on return?

I feel as though I have been lead down the guilded path here. Microsoft
requires that I use CDOEXM instead of other methods that work, but then I
find that the API documentation omits critical information such as this that
will make my product fail in the field. I appreciate having a simple
interface for doing this work, but something a little more informative than
"Catastrophic Failure" coming back would be welcome.

Thanks!
Tim Delaney

Relevant Pages

  • Re: Trend Quarantine Manager - Cant resend quarantined emails
    ... You must have an Exchange entry with the display name ... "Administrator" and you are good. ... Quarantine Manager failed to resend the message with id = XX, ... Make sure that the administrator account uses the ...
    (microsoft.public.windows.server.sbs)
  • Re: exchange message tracking center access denied
    ... Even logging in with the administrator account that has "Exchange Full ... However, just to see message tracking, I have no idea what ...
    (microsoft.public.windows.server.sbs)
  • Re: Error during Exchange2000 Server installation!!!
    ... Try to create a new user account and do NOT make this account member of any ... You can then make this account member of the local administrator group on ... both exchange servers, give the user "service account admin" rights on the ... server and delegate full Exchange administrator right on the 2000 ...
    (microsoft.public.exchange2000.setup.installation)
  • RE: Exchange System Manager
    ... Is your account a member of a group that has Exchange Full Administrator rights? ...
    (microsoft.public.exchange.admin)
  • Re: Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... policy to rename the account although it is not really necessary or useful. ... Did I check Group Policies for references to the Administrator ... Failed to perform redirection of folder Desktop. ...
    (microsoft.public.windows.server.general)