Showing posts with label Exchange 2003. Show all posts
Showing posts with label Exchange 2003. Show all posts

Monday, November 3, 2014

Permissions lost after moving mailbox from Exchange 2003 to Exchange Online in hybrid environment

Consider the following scenario:
  • Your on-premises Exchange organization includes mailboxes that are hosted in Exchange 2003;
  • Your on-premises Exchange organization is set up for a hybrid deployment together with Exchange Online;
  • You move users or shared mailboxes from on-premises Exchange to Exchange Online.
 
After you move these mailboxes, you notice that the original mailbox permissions are not retained.

You might also notice that when you run the Add-MailboxPermission cmdlet in Exchange Online, you receive an error stating:
The ACL for the object “CN=user,CN=Users,DC=letsexchange,DC=com" is not in canonical order (Deny/Allow/Inherited) and will be ignored.

This is because Exchange 2003 uses a mailbox security descriptor system that is no longer used by Exchange Online. Because of this, when an Exchange 2003 mailbox is moved to Exchange Online, the original mailbox security descriptors are ignored and permissions are not kept.

To resolve this issue, run the FixMailboxSD command-line tool to correct the security descriptions on the on-premises Exchange 2003-based servers.

This is a small utility to fix mailbox security descriptors in Microsoft Exchange that have become non-canonical. It must be run on a machine with Exchange System Manager, as it relies on the interfaces exposed by CDOEXM, but it will work against mailboxes on 2003 or 2007 (not 2010 or 2013).

The tool uses CDOEXM from C# to read the MailboxRights object from the IExchangeMailbox interface. It then iterates through the DACL and puts all the ACEs in canonical order, and saves the changes.

The syntax of the tool is very straightforward:
FixMailboxSD “DN of mailbox”

For example:
FixMailboxSD “CN=nuno,CN=Users,DC=letsexchange,DC=com”

The tool will display a summary view of the current DiscretionaryAcl, and then show a summary view of the DACL after it has reordered it. It will then save the changes and return to a command prompt.
 
Posted by No comments:
Labels: , , ,

Friday, October 12, 2012

Exchange 2013 RTM

Today the Exchange engineering team signed off the Release to Manufacturing (RTM) build of the new Exchange 2013. This means the coding and testing phase of the project is complete and they are now focused on releasing the new Exchange via multiple distribution channels. General availability is planned for the first quarter of 2013.

In addition to Exchange, the new Office, SharePoint, and Lync have also reached RTM.

Source: EHLO
Posted by No comments:
Labels: , , ,

Saturday, October 29, 2011

"Changes to the distribution list membership cannot be saved" - Part 2

One of my first posts was regarding Distribution Groups Managers, how they work and how to set them up both through Active Directory and through PowerShell.

Recently, I wrote another post regarding the “Changes to the distribution list membership cannot be saved” error that Exchange 2010 users might receive when trying to manage Distribution Lists (DLs).

In this new post, again about DLs, I will talk about another scenario where users are not able to manage their DLs even if you followed the instructions on the previous two posts and if you transitioned from an Exchange 2003 environment.


If you still have users experiencing the following error whenever they try to add or remove a member from a DL they manage, check if the DL’s scope is set to Global:


If you can’t remember what the differences are between Group Scopes, here’s a quick (and simplified!) overview:
  • Universal Group: can include accounts, global groups and universal groups from any domain of the same forest. Can be assigned permissions in any domain or forest;
  • Global Group: can include accounts and global groups from the same domain. Can be assigned permissions in any domain;
  • Domain Local: can include accounts, global groups and universal groups from the any domain (can also include other Domain Local groups but only from the same domain). Can be assigned permissions only in same domain.


If you look in the EMC, these DLs will most probably be greyed out and showing as Mail Non-Universal Group, which are not supported by Exchange 2010, thus causing the problem...


E-mails are still delivered to their members but you will not be able to manage or change them.

To check the Group Scope, the easier way is to use AD Users and Computers. In the following picture we can see that the DL HP-SSL-VPN is a Global DL:



To fix this issue, all you have to do is convert these DLs to Universal. You can easily do this using the EMC by sorting your DLs by Recipient Type Details, selecting the DLs you want to convert (you can select/convert multiple at a time!) and then clicking in Convert to Universal Group:



Alternatively, you can use PowerShell with the following cmdlet:
Import-Module ActiveDirectory
Get-ADGroup -Filter {(mail -like "*") -and (GroupScope -eq "Global")} | Set-ADGroup -GroupScope Universal -WhatIf

WARNING: Just make sure you want to convert all of them or update the cmdlet to only convert the ones you want to!



Exchange Server 2003
In the beginning of this post I mentioned that this might happen if you transitioned from Exchange 2003. This is because Exchange 2003 used different DL types.


To check the version of a DL, run the following cmdlet in the EMS:
Get-DistributionGroup HP-SSL-VPN | Select Name, ExchangeVersion

Name                   ExchangeVersion
----                   ---------------
HP-SSL-VPN             0.0 (6.5.6500.0)

From the output, we can see that the Exchange version of this DL is 6.5 (Exchange 2003).


You can use the same command to see the versions of all the DLs in your environment to check exactly how many you have that are still 2003 or, possibly, 2007:
Get-DistributionGroup | Select Name, ExchangeVersion | Sort ExchangeVersion


Or if you want to group and count them:
Get-DistributionGroup | Group ExchangeVersion

Count   Name
-----   ----
  207   0.0 (6.5.6500.0)
   12   0.10 (14.0.100.0)
   45   0.1 (8.0.535.0)



For these ones, if you try to add a Manager to it, you will get the following warning:



If you click Yes, Exchange will automatically convert the DL to Exchange 2010 so you can edit it.

The easiest way to convert all your DLs from Exchange 2003/2007 to Exchange 2010 is by using the 2010 EMS and simply running the following cmdlet:
Get-DistributionGroup | Set-DistributionGroup

Which will ask you the following:
To save changes on object "HP-SSL-VPN", the object must be upgraded to the current Exchange version. After the upgrade, this object cannot be managed by an earlier version of the Exchange Management Tools. Do you want to continue to upgrade and save the object?


Hope this helps!
Posted by 6 comments:
Labels: , ,
Subscribe to: Posts (Atom)