Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
Exchange
2000.active.directory
2000.admin
2000.announcements
2000.app.conversion
2000.applications
2000.clients
2000.clustering
2000.connectivity
2000.development
2000.documentation
2000.general
2000.information.store
2000.interop
2000.kms
2000.misc
2000.protocols
2000.realtime.collabo.
2000.setup
2000.transport
2000.win2000
admin
application.conversion
applications
clients
clustering
connectivity
design
development
misc
mobility
setup
tools
  
 
date: Fri, 23 Feb 2007 11:14:07 -0700,    group: microsoft.public.exchange.development        back       


msExchMailboxSecurityDescriptor and inherited rights    
I have a question regarding the msExchMailboxSecurityDescriptor attribute. 
We have an application that is going to take care of enabling single-sign-on 
for an environment.  To do this, the account used by the application needs 
the ability to grant the Full Mailbox Access and Associated External Account 
rights to a mailbox.  Within Exchange System Manager, at the Administrative 
group level, I have granted this account (I'll call it the SSOAccount) a 
variety of permissions, one of which is the 'Change Permissions' right, and 
these rights are inherited throughout the Exchange organization.

To test that the necessary permissions are in place, I've been using the 
SSOAccount to run ADUC and go in and manually assign an account the Ext 
Assoc. Acct and Full Mbox rights.  What I've noticed is that sometimes this 
works fine and sometimes instead I receive an 'Access is Denied' error 
message.


From within ADUC, When you look at an account's Mailbox Permissions, you can 
see that the SSOAccount is inheriting the 'Change Permissions' right on the 
mailbox.  However, when I use adfind.exe (from www.joeware.net) to export 
the actual msExchangeMailboxSecurityDescriptor then it doesn't reflect that 
SSOAccount has the Change Permissions right.  If I *first* use my own 
account (i.e. Exchange Admin account) to go in and assign SSO rights to a 
mailbox - afterwards when I look at the msExchMailboxSecurityDescriptor it 
*then* reflects that SSOAccount has the Change Permissions right on the 
mailbox and I'm able to from then on perform SSO operations against that 
mailbox with the SSOaccount without problems.  It's as though by touching 
the mailbox with an Admin account, I'm able to cause the propogation of the 
inherited rights to get written to the msExchMailboxSecurityDescriptor.


So it appears that though from an AD perspective the proper rights are 
inherited on the mailbox object, the rights aren't actually propogating down 
to a mailbox until an Exchange Admin account touches them.  How can I force 
the rights to propogate to the Mailbox/Info.Store without having to touch 
every single mailbox with an ExchAdmin account?
date: Fri, 23 Feb 2007 11:14:07 -0700   author:   Jared Cheney ail

Re: msExchMailboxSecurityDescriptor and inherited rights    
FYI - for anyone who's interested, I found the solution was that the 
additional right of 'Administer Information Store' had to be granted to the 
account in order for things to work correctly.  Here's a couple of sources 
to support it:

http://support.microsoft.com/kb/329236 - applies to Exchange 2000 but I 
think it is relevant to 2003 as well.

http://technet.microsoft.com/en-us/library/bdc119c9-961a-4e78-acf8-97099256f452.aspx. 
This guide is for Exchange 2003, and lists what rights are necessary to 
modify mailbox rights for an object.


"Jared Cheney" <jcheney@noemail.noemail> wrote in message 
news:%233AcpZ3VHHA.996@TK2MSFTNGP02.phx.gbl...
>I have a question regarding the msExchMailboxSecurityDescriptor attribute. 
>We have an application that is going to take care of enabling 
>single-sign-on for an environment.  To do this, the account used by the 
>application needs the ability to grant the Full Mailbox Access and 
>Associated External Account rights to a mailbox.  Within Exchange System 
>Manager, at the Administrative group level, I have granted this account 
>(I'll call it the SSOAccount) a variety of permissions, one of which is the 
>'Change Permissions' right, and these rights are inherited throughout the 
>Exchange organization.
>
> To test that the necessary permissions are in place, I've been using the 
> SSOAccount to run ADUC and go in and manually assign an account the Ext 
> Assoc. Acct and Full Mbox rights.  What I've noticed is that sometimes 
> this works fine and sometimes instead I receive an 'Access is Denied' 
> error message.
>
>
> From within ADUC, When you look at an account's Mailbox Permissions, you 
> can see that the SSOAccount is inheriting the 'Change Permissions' right 
> on the mailbox.  However, when I use adfind.exe (from www.joeware.net) to 
> export the actual msExchangeMailboxSecurityDescriptor then it doesn't 
> reflect that SSOAccount has the Change Permissions right.  If I *first* 
> use my own account (i.e. Exchange Admin account) to go in and assign SSO 
> rights to a mailbox - afterwards when I look at the 
> msExchMailboxSecurityDescriptor it *then* reflects that SSOAccount has the 
> Change Permissions right on the mailbox and I'm able to from then on 
> perform SSO operations against that mailbox with the SSOaccount without 
> problems.  It's as though by touching the mailbox with an Admin account, 
> I'm able to cause the propogation of the inherited rights to get written 
> to the msExchMailboxSecurityDescriptor.
>
>
> So it appears that though from an AD perspective the proper rights are 
> inherited on the mailbox object, the rights aren't actually propogating 
> down to a mailbox until an Exchange Admin account touches them.  How can I 
> force the rights to propogate to the Mailbox/Info.Store without having to 
> touch every single mailbox with an ExchAdmin account?
>
>
>
>
date: Tue, 27 Feb 2007 14:38:30 -0700   author:   Jared Cheney ail

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us