Setup /PrepareLegacyPermissions permitts wrong group in multi doma

TheMSsForum.com: The Microsoft Software Forum

Following environment:
root-domain: fsmo-roles, one DC 64bit for Exchange Setup
company-domain: user objects, uninstalled ADC E2k3 Server
server.company-subdomain: computer objects, E2k3 Server Cluster
special.company-subdomain: computer objects
production.compnay-subdomain: computer objects

sites: office (2 GC, 1 DC of each domain except production), production (1
GC of company domain, 2GC, 1DC of production) separated by a firewall

After Setup /PL for all domains (except production) we got the strange right
for the domain object in the compnay domain (all other are okay). The
Exchange Enterprise Servers (EES), which is domain local was added with the
special access for Exchange Information not form the company domain but from
the server.company subdomain. So all users were missing rights for the
company EES (i.e.: read and write alias). After going to advanced and
changing the Group fom servers.company\EES to company\EES i got the read
alias right, but there are compared to the other subdomains and the root
domain many rights missing. In the ExchangeSetup.Log it is shown this wrong
EES was selected so that I presume that there is an error in the Powershell
script for the pl option (tested sp1 and rtm version).
Anyone who experienced the same?
Anyone knowing how to set the "Special Access for Exchange Information"
rights with dsacls?

thanks
Top

RE: Setup /PrepareLegacyPermissions permitts wrong group in multi doma by clem

clem
Tue Jul 01 05:36:01 CDT 2008

additional info:
for the company domain we get MSExchangeAL 8317, 8168, 8022, 8270
for all other domains everthing okay, RUS is running (checked with
user-objects)
Top

Problem solved: DSACLS to give rights on Exchange Information by clem

clem
Tue Jul 01 07:25:02 CDT 2008

To solve the Problem I executed manually what setup /bl is doing for each
domain (could verify that for the other domains):

dsacls "dc=company,dc=local" /I:T /G "company\Exchange Enterprise
Servers":WP;"Exchange Information"

dsacls "cn=AdminSDHolder,cn=system,dc=company,dc=local" /I:T /G
"company\Exchange Enterprise Servers":RPWP;"Exchange Information"

dsacls "cn=ExOrg,cn=Microsoft
Exchange,cn=Services,cn=Configuration,dc=root,dc=local" /I:T /G
"company\Exchange Domain Servers":WP;"Exchange Information"

Obviously you have to replace company by your Domain and exorg by your
Exchange Organisation Name Values!

For further information see:
http://technet.microsoft.com/en-us/library/bb288907.aspx, ExchangeSetup.log
and the rights.ldf file in setup\data.
Look there for 1F298A89-DE98-47b8-B5CD-572AD53D267E = "Exchange Information"
Top