Exchange 2007 Permissions

Soldato
Joined
18 Oct 2002
Posts
18,000
Location
Cambridge
One of my clients has an exchange 2007 box, at present domain admins are denied access to all the mailboxes. We know how to give ourselves full access but i'm a little confused by something.

A get-mailboxpermission on one of the users shows that domain admins are both denied and allowed FullAccess on seperate lines. I can't open their mailbox which is as expected.

I created a test storage group with a test mailbox database. I moved one of the mailboxes over to it then ran the following command:

Get-MailboxDatabase –storagegroup “test storage group” | add-ADPermission -User "Domain Admins" -ExtendedRights Send-As, Receive-As -InheritanceType All -V

When doing a get-mailboxpermission on the mailbox which has been moved there is now a new line for domain admins at the top with FullAccess and allowed. I can open this mailbox as a domain admin. What is confusing matters is that the original 2 domain admin lines are still in there a little further down the list with one of them showing a deny. How can i get access when there is a deny on it? I was under the impression that any form of deny takes precedence at all times.

As an extra to complicate matters more, some users are also blackberry users, the blackberry service account is showing as allowed with FullAccess on their mailboxes. The blackberry service account is a member of the domain admins group though, it shouldnt work as the deny on domain admins should over-ride this but everyones blackberry works fine.

Anyone care to shed some light on this?
 
Some permissions take precedence over others. Typically, the Deny permission overrides the Allow permission. However, inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.

From http://support.microsoft.com/kb/292509

BTW, the BES Admin account should NOT be in the domain admins group (if whoever installed it followed the instructions)
 
Ah k thanks for that link, kind of works the opposite of how im used to. Makes sense of the issue though.

Aye i know about the bes admin account not supposed to be in domain admins but it appears to be working so we didnt bother changing it.
 
Just another quick question, if a deny is inhereited from server level and then fullaccess is inherited from the mailbox database level is it the rights nearest to the actual mailbox which take precedence?
 
Back
Top Bottom