One of my clients has an exchange 2007 box, at present domain admins are denied access to all the mailboxes. We know how to give ourselves full access but i'm a little confused by something.
A get-mailboxpermission on one of the users shows that domain admins are both denied and allowed FullAccess on seperate lines. I can't open their mailbox which is as expected.
I created a test storage group with a test mailbox database. I moved one of the mailboxes over to it then ran the following command:
Get-MailboxDatabase –storagegroup “test storage group” | add-ADPermission -User "Domain Admins" -ExtendedRights Send-As, Receive-As -InheritanceType All -V
When doing a get-mailboxpermission on the mailbox which has been moved there is now a new line for domain admins at the top with FullAccess and allowed. I can open this mailbox as a domain admin. What is confusing matters is that the original 2 domain admin lines are still in there a little further down the list with one of them showing a deny. How can i get access when there is a deny on it? I was under the impression that any form of deny takes precedence at all times.
As an extra to complicate matters more, some users are also blackberry users, the blackberry service account is showing as allowed with FullAccess on their mailboxes. The blackberry service account is a member of the domain admins group though, it shouldnt work as the deny on domain admins should over-ride this but everyones blackberry works fine.
Anyone care to shed some light on this?
A get-mailboxpermission on one of the users shows that domain admins are both denied and allowed FullAccess on seperate lines. I can't open their mailbox which is as expected.
I created a test storage group with a test mailbox database. I moved one of the mailboxes over to it then ran the following command:
Get-MailboxDatabase –storagegroup “test storage group” | add-ADPermission -User "Domain Admins" -ExtendedRights Send-As, Receive-As -InheritanceType All -V
When doing a get-mailboxpermission on the mailbox which has been moved there is now a new line for domain admins at the top with FullAccess and allowed. I can open this mailbox as a domain admin. What is confusing matters is that the original 2 domain admin lines are still in there a little further down the list with one of them showing a deny. How can i get access when there is a deny on it? I was under the impression that any form of deny takes precedence at all times.
As an extra to complicate matters more, some users are also blackberry users, the blackberry service account is showing as allowed with FullAccess on their mailboxes. The blackberry service account is a member of the domain admins group though, it shouldnt work as the deny on domain admins should over-ride this but everyones blackberry works fine.
Anyone care to shed some light on this?
