|
|
|
date: Wed, 18 Jun 2008 11:33:08 -0700,
group: microsoft.public.exchange.admin
back
RE: OWA doesn't work for some migrated user E2K3 -> E2K7
Hello,
Thank you for your post. My name is Robbin Meng, and it is my pleasure to
work with you on this issue!
Please allow me to confirm that my understandings are correct. As I
understand it, the issue is:
After moving some users' mailboxes from Exchange 2003 server to Exchange
2007 server, some users cannot log on OWA and error is received that says
they do not have permission to access the mailbox from OWA. When you add
"Self" to the Full Access Control list, OWA began to work and even after
you removed the "Self" back, OWA still works. Outlook always works fine for
all users. Since other people do not have "Self" permission, you'd like to
know if this is a solution or not.
If I have misunderstood your concerns please feel free to let me know.
Theoretically speaking, if the replication is complete after you moved the
mailbox server, this issue won't occur. No mater Exchange 2003 mailbox or
Exchange 2007 mailbox, the Self permission is listed in the Full Access
Permission list. If you remove it manually, both OWA and Outlook should not
be able to log on due to lacking of log on permission.
However, there is a time difference among the following components:
o The front-end Exchange computers
o The back-end Exchange computers
o The global catalog servers
o The domain controllers
By default, the permitted time difference is five minutes. Authentication
fails if the time difference exceeds five minutes.
Based on the current situation, I suggest we monitor this issue for some
days. At the same time, after moving mailbox, please wait for some time
(more than 5 mins)for Exchange server replication and then log on OWA
again. And be careful to use the Exchange server name instead of the old
Exchange 2003 server name when typing http URL address.
Hope those information helps. I look forward to your reply. Also, if you
have any questions or concerns, please do not hesitate to let me know.
Thank you for your time and cooperation!
Best regards,
Robbin Meng(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
date: Thu, 19 Jun 2008 10:31:35 GMT
author: (Robbin Meng [MSFT])
Re: OWA doesn't work for some migrated user E2K3 -> E2K7
Hi Robbin,
Your understading is correct but I've found something new as I'll explain
below. The times are in sync between all the servers. Let me explain a
little history on how the "self" permission has been excluded for some
users. Back when we migrated from Exchange 5.5 to Exchange 2003, we
performed an intraorg migration. The accounts on Exchange 5.5 did not have
the self permission and instead had "domain\username" as the account with
full access rights the the mailbox. This carried over to Exchange 2003
during the migration. When "domain\username" attempted to log into his/her
mailbox through OWA and Outlook in Exchange 2003, everything worked fine.
New users that are configured have the "self" permission assigned as
automatically.
I'm looking at my mailbox permissions in ADUC and don't have "self" but have
my upn credentials (myusername@domain.org). OWA and Outlook work fine for
me.
Also, when I migrated myself over to Exchange 2007, I never had any issues
with OWA or Outlook. It just worked like it should. I am really baffled at
what could cause this error.
OK, I just found a live one. This is the exact error I'm getting when
attempting to log into OWA as that user:
You do not have permission to open this mailbox. For access or for more
information, contact technical support for your organization.
Looking at the user's mailbox permission yields:
Self - full mailbox rights
users UPN name - no rights (not listed in mailbox permissions)
Other exchange groups - various rights
Exchange backup account - full mailbox rights
I'm going to try to assign another user rights to this user's mailbox to see
if the simple act of assigning a permission to the mailbox makes it start
working in OWA. By the way, the user hasn't complainted and is working in
Outlook fine.
Wow, I'm really getting to know that Powershell command
(add-mailboxpermission). Ok, I added full mailbox rights for another user
(user has nothing to do with the backup account) and OWA started working but
it seems the problem has evolved and I should redefine it. I remember this
user changing his theme to XBOX 360 right after I migrated him so I'm sure
he was able to log in through OWA. It looks like I'm having a problem
logging into their account with the "Exchange backup account" mentioned
above and after making a change to mailbox rights, I can then log into the
user's mailbox with that account. It should be noted that I have already
added the AD-permission at the database level to give "receive-as" rights to
the "Exchange backup account" and that I can log into any user's account on
that database using Outlook but I get the error I mentioned above when
logging into their account via OWA after a migration. This user has been
migrtated for more than a week so i'm sure A/D replication has taken place.
redefinded issue: Can't log into user's account via OWA using an account
that has full mailbox access rights (prior to the migration) after migrating
them from Exchange 2003 to Exchange 2007. After making any addition to the
user's mailbox rights, the account again has access to log in through OWA.
"receive-as" permissions have aleady been assign to this account via
powershell at the database level.
This is much information. I hope you can help me.
Thank you in advanced.
""Robbin Meng [MSFT]"" wrote in message
news:g%23gwoef0IHA.5796@TK2MSFTNGHUB02.phx.gbl...
>
> Hello,
>
> Thank you for your post. My name is Robbin Meng, and it is my pleasure to
> work with you on this issue!
>
> Please allow me to confirm that my understandings are correct. As I
> understand it, the issue is:
>
> After moving some users' mailboxes from Exchange 2003 server to Exchange
> 2007 server, some users cannot log on OWA and error is received that says
> they do not have permission to access the mailbox from OWA. When you add
> "Self" to the Full Access Control list, OWA began to work and even after
> you removed the "Self" back, OWA still works. Outlook always works fine
> for
> all users. Since other people do not have "Self" permission, you'd like to
> know if this is a solution or not.
>
> If I have misunderstood your concerns please feel free to let me know.
>
> Theoretically speaking, if the replication is complete after you moved the
> mailbox server, this issue won't occur. No mater Exchange 2003 mailbox or
> Exchange 2007 mailbox, the Self permission is listed in the Full Access
> Permission list. If you remove it manually, both OWA and Outlook should
> not
> be able to log on due to lacking of log on permission.
>
> However, there is a time difference among the following components:
>
> o The front-end Exchange computers
> o The back-end Exchange computers
> o The global catalog servers
> o The domain controllers
>
> By default, the permitted time difference is five minutes. Authentication
> fails if the time difference exceeds five minutes.
>
> Based on the current situation, I suggest we monitor this issue for some
> days. At the same time, after moving mailbox, please wait for some time
> (more than 5 mins)for Exchange server replication and then log on OWA
> again. And be careful to use the Exchange server name instead of the old
> Exchange 2003 server name when typing http URL address.
>
>
> Hope those information helps. I look forward to your reply. Also, if you
> have any questions or concerns, please do not hesitate to let me know.
>
> Thank you for your time and cooperation!
>
>
> Best regards,
> Robbin Meng(MSFT)
>
> Microsoft CSS Online Newsgroup Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
date: Thu, 19 Jun 2008 13:31:05 -0700
author: am
|
|
