Tuesday, February 24, 2009

User Can't open another users mailbox, "The name cannot be resolved."

So user1 is trying to open user2's mailbox, pure exchange 2007 environment, all patched, SP1, etc.. User2's mailbox says that user1 has full access.

So the exact error from outlook was "The name cannot be resolved. The name cannot be matched to a name in the address list." I assumed this was an outlook issue, deleted profiles, etc.. Nothing I did seemed to help, this was where I got frustrated and needed a new direction.

For troubleshooting I opened OWA logged in as user1, tried to open user2's mailbox, it says that it could not be found. I could open that mailbox logged in as myself through OWA and Outlook, and so could my two test user accounts. Very weird, user2's mailbox is a legacy account from Exchange 2000, 2003, but it doesn't make sense. After quite a bit of troubleshooting, moving the mailbox to other information stores, even detaching the mailbox and creating a new mailbox, no luck. I went into ADSIedit, checked all the properties, it was NOT hidden from the GAL.

Finally, I just deleted the user2 AD user2&mailbox. Created a new windows user2, reattached the original mailbox to that user, and after about 20 minutes of sync time, it worked and user1 was able to see user2's mailbox again.

So the issue was with User2's AD account, not the mailbox. Hopefully if it happens again I can nail it down a little more.

Thursday, February 12, 2009

Removing Legacy Permissions from Pure Exchange 2007 Environment

First let me explain the context of the issue. We had an exchange admin who over the years upgraded our exchange from 5.5 to 2000 to 2003. This person also had to occasionally add himself permissions to a mailbox in order to check on this or that and assist with issues, normal exchange admin stuff. This person decided to move onto another role inside the company, but now no longer should be an exchange admin. These permissions were removed sucessfully, and we then upgraded fully to Exchange 2007.
Later doing a full audit of mailbox permissions, we noticed that this person still had their "manually assingned mailbox rights" to about 50 users mailboxes. A simple powershell remove-mailboxpermission command and boom MOST of them were gone.
However some of them gave us a disturbing error:
Remove-MailboxPermission : Cannot remove ACE on object "CN=Mailbox.Name,OU=Resources,OU=Exchange,OU=Accounts,DC=Domain,DC=local
" for account "Domain\old.admin" because it is not present.
At line:1 char:25
After a VERY LONG call to Microsoft to just confirm we had an issue and i'm not a moron, they were completely out of ideas. I tried some vbscripts to "output" our permissions. One from this blog http://gsexdev.blogspot.com/2005/04/reverse-msexchmailboxsecuritydescripto.html was useful, but didn't quite get me there, Also modifying Greg's Script, I was able to remove permissions to msExchMailboxSecurityDescriptor (with this help http://msdn.microsoft.com/en-us/library/aa705958(VS.85).aspx), but unfortunatley this permission still existed inside of powershell and in reality. ADSI Edit had nothing that could help me, there simply wasn't a permission anywhere you can modify it. Microsoft suggested I add the permission back to the user, but I got the error the permission was already there. They also suggested I give the old IT user Domain admin permissions, shockingly that did nothing. They also said I should detach both the old IT admin's mailbox, and one of the mailboxes with the permissions, this also did nothing, once they were re-attached the permissions were still there.

Ultimately, I tried the easist thing in the world, which of course worked. I got on my old XP desktop with Exchange 2003 admin tools installed. This worked like a champ, went into the properties of the users who needed to be modified, went to "Exchange Advanced" then "Mailbox Rights" and removed the old IT admin from the permissions.

I personally consider this a bug with Exchange 2007 admin tools/powershell. but we'll see how Microsoft sees it.

Friday, February 6, 2009

Exchange 2007 scripted removal of Sendas AD rights

If you want to globally kill a certain users Send-as rights.

Get-mailbox | Remove-ADPermission -user S-1-5-21-2713965889-454821854-3254304360-14624 -ExtendedRights Send-As

Thursday, February 5, 2009

Adding NT AUTHORITY\SELF back for permissions to your mailboxes

Some of you that have upgraded exchange for years like myself may notice that in EXCHANGE 2007, users don't get rights to their own mailboxes, they user "NT AUTHORITY\SELF" to gain access.

Some older users were granted rights directly to their own mailboxes. Before you remove those (and lock them out of their email) run this Powershell script to grant that Authority account back in.

Get-mailbox | Add-Mailboxpermission -user "NT AUTHORITY\SELF" -Accessrights FullAccess

Now that you've found out someone needs to have their permissions cleaned out from other mailboxes

Mass Permission Removal

See what rights a user has to all mailboxes

Get-Mailboxpermission * -user domain\user.name | format-list > File.txt (for later reference)

Get-Mailbox | remove-mailboxpermission -user domain\user.name -Accessrights DeleteItem

If you just want to remove someones rights to everything, or a broken SID's rights.

Get-mailbox | Remove-mailboxpermission -user domain\user.name -Accessrights DeleteItem, SendAs, FullAccess, ReadPermission, ExternalAccount, ChangePermission, ChangeOwner

Here is the fun part, if you are doing a large group of mailboxes, you MUST finish the wizard, it queue's everythign up, so if you say Y, Y, Y, CTRL-C, NOTHING will happen, but if you Finish the wizard, the job completes


Find out what permissions a user has to Exchange 2007 Mailboxes

Sometimes you just need to know what user "X" has rights to in your Exchange Mailboxes.

Where a user has been specifically assigned, minus their own mailbox, it shouldn't show their own mailbox anyways because that should be NT AUTHORITY\Self.

Using Powershell.

Get-Mailbox | Get-ADPermission | where {($_.User -like “*Brian*”)} ft -wrap

Now for some reason this only returns "Send As" permissions (guess those are in AD). If you want others you have to use get-mailboxpermission

Get-Mailboxpermission * -user domain\user.name | format-list

Thanks to these articles for setting me in the right direction.