RE: [ActiveDir] Exchange and AD E-mails

[Nicolas Blank]

You’ll notice that those permissions on the store object aren’t explicit, but inherited and to use Joe’s exchange as an example are defined here: CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com As             Allow    DOMAIN\Exchange Domain Servers        List Children, Read All Properties, Read Permissions The two other places where permissions are detailed explicitly are on the org :   ,CN=Rendition Networks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com   and a simply             Deny DOMAIN\Exchange Domain Servers            Receive As On the servers container:   CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Re ndition Networks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com       I’ve managed to break exchange by switching off inheritance in E2k on an admin group or server container, after which email from new servers joining the org could not send mail to servers already existent – or other similar probs . You’ll notice some interesting things browsing ACL’s in exchange, and how they change subtly after service pack applications. I remember a SP rewriting base public folder permissions at one stage, which was rather upsetting in a legal environment ;) Suggest you switch permission inheritance back on if you have switched it off and permission explicitly where required and on the right levels if you HAVE to , so that a)       mail flow wont break due to missing permission on the Exchange servers group and b)       since there are so few places where ACL are written explicitly, you’ll have a better idea, i.e. things will be slightly more self documenting (did I mention that word?) when you’re trying to figure out what changed six months after the fact.   Suggest you document your Default permissions somewhere or have a second org in a lab so that you can compare what’s different in the future if something breaks. – I once spent a week chasing a NDR after figuring out that I switched something off somewhere and forgot where I did it – Document ? ;).     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: 02 August 2004 11:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails   Because I was playing with permissions. J    From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, August 02, 2004 4:53 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange and AD E-mails   Why wouldn't Exchange Domain Servers have the appropriate permission in your environment?  Something get changed recently?   Any event log entries on the Exchange servers?   -Al   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Monday, August 02, 2004 3:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails Yeah, I just played with this a little bit.   If Exchange Domain Servers doesn't have write access, I get a bounce.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, August 02, 2004 2:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange and AD E-mails I've got to back off the drinking apparently ;)   ACL's very well can prevent mail delivery.    Al