Full mailbox access from trusted domain

Similar Messages

• Providing administrator(s) full mailbox access to all mailboxes (database) not working

  I'm setting up a new Exchange 2013 org.  Everything is pretty fresh, only a few mailboxes have been added for testing.
  I've added this permission, to provide full access to all the mailboxes in the database:
  Get-MailboxDatabase -identity “Mailbox Database” | Add-ADPermission -user netadmin -AccessRights GenericAll -ExtendedRights Receive-As, Send-As
  I've verified the permission in ADSI Edit.
  I have verified the permission in the recipient's mailbox delegation properties. 
  However, while logged into OWA using the admin account, if I try to open another user's mailbox from OWA, I just get a sad face that says "Something went wrong :( " .
  Any ideas? I've tried resetting the owa virtual directory...reset IIS, rebooted several times, no luck.
  Thanks

  Hi
  Is that ok when you set to single mailbox?
  If ok, please try
  Get-Mailbox -database “Mailbox Database” | Add-ADPermission -user netadmin -AccessRights GenericAll -ExtendedRights Receive-As, Send-As
  Cheers
  Zi Feng
  TechNet Community Support
  Please see the original post, I've already tried "Get-MailboxDatabase -identity “Mailbox Database” | Add-ADPermission
  -user netadmin -AccessRights GenericAll -ExtendedRights Receive-As, Send-As"
  If I add the permission individually through ECP, it works just fine.  What I'm trying to accomplish is full mailbox access to all mailboxes in the database now and in the future
  (something that works just fine in Exchange 2010,) however in  2013 it is not working.  I tried doing it via a security group instead, same result.

• ACS appliance 4.1 - machine authentification from trusted Domain failed

  We have a acs appliance 4.1 with a agent running on a X domain controller to authenticate user's from the X domain active directory.
  User's and Computer's are able to authenticate without any issue on X domain.
  We have recently add a trusted Y domain on this X domain.
  User's from Y domain are able to authenticate on our ACS without any issue , but machine are not able to authenticate.
  03/14/2011
  10:44:32
  Authen failed
  host/FLADWS0072.Ydomain
  Default Group
  00-26-82-d6-9b-3f
  (Default)
  External DB user invalid or bad password
  Machine use is the following settings to authenticate :
  EAP type : EAP (PEAP) 
  Authentification method : EAP-MSCHAP v2
  On Y domain active directory :
  Remote access permission is ok for machine
  On ACS applicance :
  "Enable PEAP machine authentication" is select + the machine from X Domain are authenticate without any issue.
  Any idea where is should start to invetigate ?
  Tks in advance for your help

  Dear Valued Cisco Customer,
  I will be out of the office from 03/20/2010 until 04/04/2010. During
  this time, I will have no access to email or voicemail. If you require
  assistance during my absence, please contact Manivannan Srinivasan via
  phone at 469-255-4806 or via email at [email protected] and this
  engineer will continue to work any immediate concerns you may have at
  this time. If this issue can wait until my return on 04/05/2010, I will
  be glad to continue working with you. If you require assistance outside
  of our business hours (10:00am - 7:00pm CST), please contact the TAC by
  calling 1800-553-2447 or email [email protected] and request to have the
  service request re-assigned.
  Best Regards,
  Abhishek Neelakanata

• Shared mailbox access from exchange 2003 to 2010 users

  We'd successfully migrated from exchange 2003 to 2010. still some of the users are yet to be migrate.
  The issue is only in MAC (Apple) Migrated users was unable to access the shared folder residing in 2003 environment.
  but the migrated 2010 users are able to access the shared folders in the windows environment.
  Any one can assist or suggest this issue.
  Awaiting for ur reply.
  Regards
  kart26

  Hi Kart26,
  Please install certificate in your MAC App Client.
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• How to give full access to mailbox to users in trusted domain?

  Hi,
  I am working on a migration-project where we migrate all users from one domain to a new domain. I have Exchange in both domains, and migrates mailoboxes from the old to the new domain. In the old domain I have a number of mailboxes that are used for common
  calendars for the departments. My problem is: How can I give the users who has been  migrated to the new domain full access to the existing calendar-mailboxex in the old domain? I have given the accounts in the new domain full access to the mailboxes
  in the old domain by using to following command: get-mailbox mailboxname | add-mailboxpermission -accessrights FullAccess,ExternalAccount -user newdomain\username
  After the command has completed I can see the account listed in the "Manage Full Access Permission"-dialog, but still the new useraccount cannot create appointments etc in the original calendar from Outlook.
  Any tips on this?
  Thor-Egil

  Hi Thor,
  Thank you for your question.
  Did the issue occur when we use OWA?
  Are there any errors when they cannot create appointments?
  We could enable “Support cross forest delegation” on FIM(Forefront Identity Manager) to check if the issue persist.
  There is an article for us to how to enable “Support cross forest delegation” by the following link:
  http://blogs.technet.com/b/neiljohn/archive/2011/10/12/exchange-server-2010-cross-forest-delegation.aspx  
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Jim Xu
  TechNet Community Support

• How do I configure OS X Server (Mountain Lion) to deliver mail from another domain to my mailbox?

  How do I configure OS X Server (Mountain Lion) to deliver mail from another domain to my mailbox?
  I run a personal Server at my office. It's configured under my own domain as server.mydomain.com. It's setup that it properly receives and sends e-mail for mydomain.com. I use my own mailbox [email protected] to get all my personal mail.
  I'm looking to add another domain as a secondary way for people to get to my content and information.
  I want the same address [email protected] and [email protected] to arrive in the same mailbox at my server.
  How do i do that?

  it does look like you can add virtual domains in the GUI of Server.app on at least some versions, but I don't have an OS X Server 10.8 version handy to check.
  I'd encourage spending some time to learn the command line.  In general, the payoff for learning the command line will be worth the effort expended.  You're running a mail server here and sooner or later the capabilities of the GUI will fail you.  This whether due to a configuration omission in the GUI itself, or due to the need to troubleshoot a malfunctioning mail server, a need to automate one or more of the Postfix-related sequences, or some other IT-related task.  Entirely FWIW, of course.
  Here's a cut-and-paste of the sequence just used to test the command line access to the Postfix configuration, first fetching the current value, appending example.com as the second domain, then displaying the new value, then restarting the Postfix server.  Don't enter the dollar signs; just the postconf command and following.  Adjust example.com to match your domain...
  $ postconf mydestination
  mydestination = $myhostname, localhost.$mydomain, localhost
  $ sudo postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost, example.com'
  Password: {your admin password here}
  $ postconf mydestination
  mydestination = $myhostname, localhost.$mydomain, localhost, example.com
  $ sudo postfix reload
  The Postfix and Postconf commands work irrespective of the OS X Server version; the tools reference the data files as needed.

• Outlook Password prompt for Linked Mailboxes from certain Domain

  Hello,
  As part of a migration project, I'm trying to connect Outlook with Linked Mailboxes from users in a trusted domain.
  I'm able to create the linked mailbox on the Exchange 2013 (CU7) server without any issue, but when I try to configure Outlook for these mailboxes, it is prompting for credentials permanently and won't start. Log on to OWA with the same user from the trusted
  domain is working fine.
  I'm able to configure Linked mailboxes from another trusted domain without any problems.
  I've already recreated the trust between these two domains (validation tells everything is ok)
  DNS is configured with conditional forwarders in both domains and name resolution looks ok to me (ping and nslookup)
  When I look at the LinkedMasterAccount of the mailboxes from this domain, I can see that there is only the SID (S-1-5-21-4033829......). The other linked mailboxes (from the other domain where it's working) are showing the Account name (domain\user)
  Internal and External ClientAuthenticationMethod of OutlookAnywhere is set to NTLM
  Infos:
  DomainA: Domainlevel 2012 - Exchange 2013 - Forest trust to Domain B and C
  DomainB: Domainlevel 2008 - Exchange 2010 - Forest trust to Domain A - Outlook for linked Mailboxes of DomainA works fine
  DomainC: Domainlevel 2008 - Forest trust to Domain A --> can't connect Outlook to LinkedMailboxes of this domain.
  Is there anything else I can check?

  Hi,
  Please check whether the server is configured to only accept NTLM version 2 and reject NTLM and LM, and the Outlook client computer is not configured with the same LAN Mananger authentication level.
  Check DC, Start -> Programs -> Administrative Tools -> Security Options -> Note the LAN Manager authentication level.
  Check DC's policies, Start -> Programs -> Administrative Tools -> expand Security Settings\Local Policies -> Security Options -> Note the Lan Manager authentication level.
  IMPORTANT： You may also have to check policies that are linked at the site/domain/organizational unit levels to determine where the LAN Manager authentication level must be configured. Configure the LAN Manager authentication level to "Send
  NTLMv2 response only". If you want to implement NTLM version 2 in your network, make sure that all computers in the domain are set to use this authentication level.
  Thanks
  Mavis Huang
  TechNet Community Support

• Users see all applications in RDS 2012 Web access in one-way trust domain environment

  Hello!
  We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.
  A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and sees
  every published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.
  In the security log of wa.domainA.local we can find an event :
  An account failed to log on.
  Subject:
  Security ID:                IIS APPPOOL\RDWebAccess
  Account Name:                RDWebAccess
  Account Domain:                IIS APPPOOL
  Logon ID:                0x2C7B16
  Logon Type:                        3
  Account For Which Logon Failed:
  Security ID:                NULL SID
  Account Name:                
  Account Domain:                
  Failure Information:
  Failure Reason:                An error occurred during logon
  Status:                        0xC000005E
  Sub Status:                0x0
  Also in network trace on wa.domainA.local kerberos error could be found:
  On TGS-REQ for krbtgt/[email protected] there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.
  How to deal with this issue? The aim is to show only specified applications to domainB users.
  Any help would be appreciated.

  Hi,
  Thank you for your posting in Windows Server Forum.
  Please check below links might useful for your case.
  “After adding the RDS server’s computer account to the Builtin Windows Authorization Access Group domain group, the RemoteApp icons displayed perfectly.” (Quoted from
  this article)
  1. Remote APP list empty
  2. RD
  Web Access unable to access Source (RD Server)
  In respect to Kerberos Error, refer this link for troubleshooting.
  1. Troubleshooting Kerberos Authentication problems – Name resolution issues
  2. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
  Hope it helps! 
  Thanks,
  Dharmesh

• How to grant access to sharepoint for the user from different Domain

  Hi All
      I need to grant access to user from different domain. 
      Where I can able to view the users in people picker (different domain).
  Thanks in Advance.
  Raj

   Hi
  Trevor Seward
  Sorry to disturb
  you again.
    I am trying to restrict user from search from other domain, say we have domain A and Domain B, where I am trying to restrict all the user from domain B (Search users)for a site collection. I have found couple of stsadmin command to do so. but none
  of them works. Below are the commands I have tried
  STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:<Name>.domain" -url "http://Site URL"
  stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv “(canonicalName=<Name>.domain*)” -url "Site URL"
  we have two way trust.
  Can you suggest any solution.
  Thanks 
  Raj

• Grant access to users from different Domains

  Hi,
  Recently my company was merged with another. All users from my company are setup in our Domain (DomainA). Sharepoint is able to see the users in this domain and grant access to the users as well. When the merger happened, we created a Group (Test - Sharepoint)
  in our AD to add groups from other companie's domain:DomainB, totally different Forest. There is a two way trust setup between these domains. The group Test-Sharepoint is "domain local" and it is able to see the groups/users from other domain: DomainB.
  The other users are now able to access our sharepoint environment once access is granted to DomainA\Test-Sharepoint.
  Problem came when we applied Audience targetting around few web parts. The users from DomainB who are added as object in DomainA\Test-Sharepoint (group in DomainA) are not able to see the web parts that have audience targeting for this group. Someone
  suggested that AD groups should be Global or Universal but that is not our case. Most of the groups in our AD are domain local and SP is able to see the users within it.
  Please suggest how we can resolve audience targeting issue?
  Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

  My apologies, yes that is correct you'll have to use Domain Local in this case. http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx
  Actually what you'll need to do is not use Groups in your domain at all, as the users are Foreign Security Principals. Instead, use a group in the trusted domain, or attributes of the users you intend to target directly.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 and 2 other Domain External and Forest Trusts

  Is there anything that needs to be done or considered when migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 with 2 other 2003 separate Domain incoming
  and outgoing Trusts, one Trust that is a Forest Trust and the other is an External Trust? Is there any chance or risks that doing this upgrade will break either one of these Trust relationships? Some of the user accounts with SID history have been migrated
  from both Domain Trusts to our domain. Any chance that this upgrade will break these relationships for users that are using SID history for access to folders and files in their old Domains? If so what can be done to protect these trusts and SID history, prior
  to moving the Domain to 2008R2

  Hi,   
  Based on my knowledge,
  the Upgrade of the function level do not affect the trust relationship.
  Besides, before you upgrade the Functional Level,
  verify that all DCs in the domain are, at a minimum, at the OS version to which you will raise the functional level.
  Once the Functional Level has been upgraded, new DCs on running on downlevel versions of Windows Server cannot be added to the domain or forest.
  For more information about function level, we can refer to following links:
  Understanding Active Directory Domain Services (AD DS) Functional Levels
  http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
  What is the Impact of Upgrading the Domain or Forest Functional Level?
  http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
  Best Regards,
  Erin

• SQl engine service account in different trusted domain from server?

  Is it possible to use an SQL service account from a different, but still trusted, domain than the one to which the server is joined?  If so, are there any nonstandard configuration settings I need to use?
  I've got this setup running, but when I try to connect with an account from any domain other than the one to which the server is joined, I get the following error:
  Login failed for user 'SERVICEACCOUNTDOMAIN\account'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.
  I've created the SPN in the service account's domain, and verified there is both connectivity and a valid trust relationship.  The users I'm testing also have logon permissions for the server.

  Hi AccuMegalith,
  Firstly, it is possible to use an SQL Server service account from a different, trusted domain. We need to note the following configuration.
   For more details, please review this article:
  Security Account Delegation.
  1. The service account must be trusted for delegation on the domain controller.
  The following options in Active Directory Users and Computers must be specified in order for delegation to work:
  •The Account is sensitive and cannot be delegated check box must not be selected for the user requesting delegation.
  •The Account is trusted for delegation check box must be selected for the service account of SQL Server.•The
  Computer is trusted for delegation check box must be selected for the server running an instance of Microsoft SQL Server
  2. The service account must have SPNs registered on the domain controller. If the service account is a domain user account, the domain administrator must register the SPNs.
  Login failed for user 'SERVICEACCOUNTDOMAIN\account'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.
  Secondly, regarding to above error message, it means that SQL Server was able to authenticate you, but weren't able to validate with the underlying Windows permissions. 
  It could be caused by that the Windows login has no profile or that permissions could not be checked due to UAC. Please perform the following steps to troubleshoot this issue. For more details, please review this
  blog.
  1. Run SQL Server Management Studio (SSMS) as administrator and disable UAC.
  2. Check if that login is directly mapped to one of the SQL Server logins by looking into the output of sys.server_principals.
  3. If the login is directly mapped to the list of available logins in the SQL instance, then check if the SID of the login matches the SID of the Windows Login.
  Thanks,
  Lydia Zhang
  If you have any feedback on our support, please click
  here.
  Lydia Zhang
  TechNet Community Support

• We have created shared folder on multiple client machine in domain environment on different 2 OS like-XP,Vista, etc. from some day's When we facing problem when we are access from host name that shared folder is accessible but same time same computer when

  Hello All,
  we have created shared folder on multiple client machine in domain environment on different 2 OS like-XP,Vista, etc.
  from some day's When we facing problem when we are access from host name that shared folder is accessible but same time same computer when we are trying to access the share folder with IP it asking for credentials i have type again and again
  correct credential but unable to access that. If i re-share the folder then we are access it but when we are restarted the system then same problem is occurring.
  I have checked IP,DNS,Gateway and more each & everything is well.
  Pls suggest us.
  Pankaj Kumar

  Hi,
  According to your description, my understanding is that the same shared folder can be accessed by name, but can’t be accessed be IP address and asks for credentials.
  Please try to enable the option below on the device which has shared folder:
  Besides, check the Advanced Shring settings of shared folder and confrim that if there is any limitation settings.
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Filter out PeoplePicker results coming from trusted AD domains

  We have individuals who have accounts in multiple trusted domains. Thus when a search in PeoplePicker is performed, results will return multiple entries for those individuals.
  i.e. Bob has account in main AD domain foo.int and also has an account in trusted AD domain bar.int . Search for Bob in PeoplePicker currently returns both entries which is confusing to users.
  We have deprecated the trusted domain and eventually it will go away. However until then we want PeoplePicker to only return results from MAIN domain foo.int.
  I believe the correct solution is to setproperty peoplepicker-searchadcustomquery so that PeoplePicker only returns results from the main domain.
  I am not sure of the proper syntax and proper AD attribute to use in the property value for this command.
  stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv (?????)
  (from http://technet.microsoft.com/en-us/library/cc262988.aspx)
  Or is there another approach to this problem?

  Hi Bruce, 
  You want to restrict people picker to specific Domain.
  You can use the following command:
  stsadm -o setsiteuseraccountdirectorypath -url http://<RootSiteURL> -path "<Path to OU>"
  Path to OU examples:
  Single Domain: DC=DOMAIN, DC=COM
  For more information, see Setsiteuseraccountdirectorypath: Stsadm operation (Office SharePoint Server) (http://technet.microsoft.com/en-us/library/cc263328.aspx)
  By the way the command you used before can also achieve the goal, what you need to do is specify a correct LDAP filter.
  stsadm -o setproperty -pn peoplepicker -searchadcustomfilter -pv <LDAP Filter>
  Hope the information can be helpful.
  -lambert
  Posting is provided "AS IS" with no warranties, and confers no rights.

• Authenticate users from a trusted domain

  Greetings,
  I have two domains, A & B.  Domain A hosts all our user accounts; A\domain users.  In Domain B we host our applications, ie, exchange, IIS, SharePoint.
  I would like to have the default authentication into sharepoint be from users in Domain A using standard claims NTLM.
  Domain B trusts Domain A (1 way)
  Is this possible? How?
  Thank you

  Hello Trevor,
  Thank you for your help.
  I have run the People Picker Tester and found that I am able to connect to the following ports:
  CONNECTED
  tcp/389
  tcp/686
  tcp/135
  tcp/139
  tcp/3268
  tcp/445
  and FAILED to connect to
  tcp/137
  tcp/138
  tcp/3269
  tcp/53
  tcp/749
  tcp/750
  The LDAP test does show a list of all my users from Domain A.  Are all of the failed ports required?  I'm wondering since I did get results from the LDAP test.
  With my new web application and site collection I cannot see any domain A users, although I have not run the two stsadm commands yet, should I be able to or do I need to run the two stsadm commands you previously mentioned?
  My next question is around the two stsadm commands.
  The first command:
  stsadm -o setapppassword -password "SomeValue"
  1) What am I actually doing here? 
  2) Where will this password be used?
  3) Is the password arbitrary or does it need to be a password for the user I will be using in the second stsadm command?
  The second command:
  stsadm -o setproperty -pn peoplepicker-searchadforests -pv "domain:domainb.com;domain:domaina.com,domainauser,password" -Url
  http://webAppUrl
  1) is this command setting my default people picker domain search to Domain A accounts?
  2) for testing I'm going to use my domain a account in the command, is that acceptable?  It just needs to be an account in domain A, correct?