I'm about to open an incident with PSS but thought I'd see if any of you had run across a similar situation: All members of the built-in groups such as Account Operators and Backup Operators have had their permissions changed on Ex55 mailboxes.
The ADC is E2K SP3 with hotfix 815452. We never installed an earlier ADC version. After running the ADC their permissions show role of "CUSTOM" with only "Mailbox Owner" rights (normal is "User" role and rights that include "Modify User Attributes" and "SendAs") . Mailbox access has not been impacted as far as I can tell (good!) - however I still have concerns as the Ex55 Admin program will not export CUSTOM permissions (see KB 188628) and we make use of such an export for security reasons and during mailbox moves between Ex55 sites. Plus since I don't recall anyone mentioning this I'm a bit concerned that after all my ADC testing I still messed up somewhere ... Only users impacted appear to be members of a built-in group. The ADC also added the group "Exchange Enterprise Servers" with CUSTOM permissions and right of "Modify User Attributes" to these mailboxes. Has anyone else seen this? I get the same results in our newly rebuilt lab as in production - so whatever I'm doing it is repeatable ... We've stopped running the ADC in production until I talk with PSS or hear some wisdom from the folks on this list. The permission changes do not always happen after the first replication or when the user's attributes have changed. It appears that if I run the ADC about an hour after the built-in group is updated then the permissions will get changed to CUSTOM. If it runs sooner: sometimes the change happens other times it does not till a later replication. Previous labs did not show this but I cannot verify now if we had mailbox users as members of those built-in groups at that time. Environment: A two-way agreement from each of the Ex55 sites (recipient container <-> Org Unit for that site). Tested with CAs created as two-way and those created as one-way then switched to two-way. Same perms results for migrated users (via ADMT) and brand new Active Directory users created with ADU&C. The thing in common seems to be membership in the built-in groups. We do not use Group policies. Prior to the ADC we verified Ex55 Organization had unique NT Associated accounts (which matched the mailbox alias and the X.500 name). Unknown permissions were removed. Active Directory: Windows 2000 SP3 with KB 327825 and security patches applied to all domain controllers. A "root" domain and a child domain both in Native mode. Exchange 5.5 SP4 servers (and users) are in a mix of one NT domain and the child AD domain. Two-way trust between the NT and AD child domain. We use the ADMT to migrate users from the NT domain to AD. The version we use sets the SID history and merges any disabled users (created by the ADC) with the migrated user. ADC schema updates were done using ADC from Exchange 2000 SP3. ForestPrep and DomainPrep have both been done. Exchange 2000 has NOT yet been installed. I realize this was a long post - thank you for wading though it. Any insights would sure be appreciated! Jane Jane F. Elliott Postmaster Team Tektronix, Inc. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
