Table full Access
Can you please help me with this query,
The explain plan is showing 'Table full access' on
Pay_cost_allocation_keyflex table.
I have 4 variables which are passed to the pcak table to get the pcak.cost_allocation_keyflex_id
I tried various ways, except when i give specific hrou.name = 'Xyz' then it does not do full access.
I even tried creating index on seg1,seg2,seg3,seg4 column, still it shows full access.
any idea how can i avoid doing full access as this is taking long time to fetch the record for 5k records.
sELECT
HROU.NAME,
HROU.ATTRIBUTE10||HROU.ATTRIBUTE11||HROU.ATTRIBUTE12||HROU.ATTRIBUTE13
FROM
HR_ALL_ORGANIZATION_UNITS HROU,
PAY_COST_ALLOCATION_KEYFLEX PCAK
WHERE
&VV_PAYROLL_ACTION_ID and
HROU.Organization_id and
HROU.COST_ALLOCATION_KEYFLEX_ID = PCAK.COST_ALLOCATION_KEYFLEX_ID AND
PCAK.SEGMENT1 = &P_REC_SEGMENT1 AND
pcak.segment2 = &p_rec_segment2 and
nvl(pcak.segment4,'00000') = nvl(&p_rec_segment4,'00000') and
nvl(pcak.segment5,'00000') = nvl(&P_rec_segment5,'00000') --and
GROUP BY hrou.name,hrou.attribute10,hrou.attribute11,hrou.attribute12,hrou.attribute13
order by hrou.attribute10,hrou.attribute11,hrou.attribute12,hrou.attribute13
Any advise will be appreciated.
Thanks
Bashir,
Try to avoid using function in the where block. If functions are used then normal indexes are not used .. (nvl for pcak.segment4 and pcak.segment5)
If you "have" to use nvl function, then create function-based index for pcak.segment4 and pcak.segment5
As for hrou.name, there must be an index for this. And thats why when you give hrou.name ='xyz', query must be using one of the index that has this column.
Sudhanshu Bhandari
perotsystems TSI
Similar Messages
-
Why a table full scan when I've got the PK in the WHERE clause?
There is a very complex query that I need to optimize in an Oracle 10gR2 environment. I am deconstructing it into layers to see what is causing the first bottleneck. The innermost portion is fine, with an explain plan cost of 54. With a typical value for the bind variable, it returns 125 zero_id values. There are over 100,000 rows in table T_ONE in my test database, but my customer has over one million rows in their production instance.
WITH t_merged_id AS (SELECT DISTINCT zero_id FROM t_zero WHERE NVL(column2, zero_id) = :i_id)
SELECT t_one.one_id
FROM t_one
INNER JOIN t_two
ON t_one.column1 = t_two.two_id
INNER JOIN t_merged_id
ON t_two.column10 = t_merged_id.zero_id
UNION ALL
SELECT t_one.one_id
FROM t_one
INNER JOIN t_two
ON t_one.column2 = t_two.two_id
INNER JOIN t_merged_id
ON t_two.column10 = t_merged_id.zero_id
UNION ALL
SELECT t_one.one_id
FROM t_one
INNER JOIN t_three
ON t_one.column3 = t_three.three_id
INNER JOIN t_merged_id
ON t_three.column10 = t_merged_id.zero_id
UNION ALL
SELECT t_one.one_id
FROM t_one
INNER JOIN t_four
ON t_one.column4 = t_four.four_id
INNER JOIN t_two
ON t_four.column1 = t_two.two_id
INNER JOIN t_merged_id
ON t_two.two_id = t_merged_id.zero_id
UNION ALL
SELECT t_one.one_id
FROM t_one INNER JOIN t_merged_id ON t_one.column5 = t_merged_id.zero_id
UNION
SELECT t_one.one_id
FROM t_one INNER JOIN t_merged_id ON t_one.column6 = t_merged_id.zero_idHowever, the next step is to obtain a bunch of columns from T_ONE for each of those ONE_ID values. Adding that looks like the following, which causes a table full scan on T_ONE (and an explain plan cost over 1,500 for this query in my test system) and it takes far too long to return the results.
SELECT t_one.*
FROM t_one
INNER JOIN
(--This is the start of the query shown above
WITH t_merged_id AS (SELECT DISTINCT zero_id FROM t_zero WHERE NVL(column2, zero_id) = :i_id)
SELECT t_one.one_id
FROM t_one
INNER JOIN t_two
ON t_one.column1 = t_two.two_id
INNER JOIN t_merged_id
ON t_two.column10 = t_merged_id.zero_id
UNION ALL
SELECT t_one.one_id
FROM t_one
INNER JOIN t_two
ON t_one.column2 = t_two.two_id
INNER JOIN t_merged_id
ON t_two.column10 = t_merged_id.zero_id
UNION ALL
SELECT t_one.one_id
FROM t_one
INNER JOIN t_three
ON t_one.column3 = t_three.three_id
INNER JOIN t_merged_id
ON t_three.column10 = t_merged_id.zero_id
UNION ALL
SELECT t_one.one_id
FROM t_one
INNER JOIN t_four
ON t_one.column4 = t_four.four_id
INNER JOIN t_two
ON t_four.column1 = t_two.two_id
INNER JOIN t_merged_id
ON t_two.two_id = t_merged_id.zero_id
UNION ALL
SELECT t_one.one_id
FROM t_one INNER JOIN t_merged_id ON t_one.column5 = t_merged_id.zero_id
UNION
SELECT t_one.one_id
FROM t_one INNER JOIN t_merged_id ON t_one.column6 = t_merged_id.zero_id
--This is the end of the query shown above
) t_list
ON t_one.one_id = t_list.one_idMy question is, why wouldn’t Oracle use the existing index PK_T_ONE, which is keyed on T_ONE.ONE_ID? I tried refactoring the query using a “WHERE t_one.one_id IN” construct instead of the INNER JOIN but it didn’t make any difference. Neither did adding an index hint, which I hoped would force the use of the PK index.
Any ideas?I was able to completely resolve my problem, but I still want to understand why the original query wouldn't use an index.
(My solution was to move all the joins and where clauses from the query that wrapped the one we've been discussing and put them into each SELECT in the UNION, so there is no longer any inner subquery. So instead of trying to first get a list of ID values from the subquery, get the full records for the IDs from an outer query, and then joining to the outer query, I made SELECT in the UNION contain the full logic. This makes the query a lot more verbose, because all the joins and wheres are repeated six times, but it does use the index and returns in 0.04 seconds instead of over nine minutes in my test database.)
hoek wrote:
Values for optimizer_index_caching and optimizer_index_cost_adj are not the defaults. Any reasons for that?I am not a DBA and have no idea. However, I did a Google search and found this: http://decipherinfosys.wordpress.com/2007/02/13/optimizer_index_cost_adj-and-optimizer_index_caching/. Apparently Tom Kyte would approve more of our settings than the defaults.
hoek wrote:
Any chance to get a realistic dataset on your test server?Unfortunately, not for quite some time. The customer won't provide any real data, and generating data for testing is complex because of all the interrelationships. I have someone working on that. However, I was able to get back on the primary test server that has 136k records in the main table instead of only 2k. So far as I know, the Oracle configuration between the test server and the customer's server is the same. However, they have much more serious hardware that I do (more processors, more RAM, more platters). On the other hand, they have 10 times as much data.
hoek wrote:
Your second execution plan contains differents stats, they're not the 'common ones'. (E-rows etc.)The predicates are the same as the first. The 2nd plan was generated by the 10g-specific portion of Randolph's script using the command "select * from table(dbms_xplan.display_cursor(null, null, 'ALLSTATS LAST'));".
This is the result from running the script on the main test server:
NAME TYPE VALUE
_optimizer_cost_based_transformation string OFF
optimizer_dynamic_sampling integer 2
optimizer_features_enable string 10.2.0.4
optimizer_index_caching integer 95
optimizer_index_cost_adj integer 10
optimizer_mode string CHOOSE
optimizer_secure_view_merging boolean TRUE
db_file_multiblock_read_count integer 32
db_block_size integer 8192
cursor_sharing string FORCE
SNAME PNAME PVAL1 PVAL2
SYSSTATS_INFO STATUS COMPLETED
SYSSTATS_INFO DSTART 04-04-2008 07:02
SYSSTATS_INFO DSTOP 04-04-2008 07:02
SYSSTATS_INFO FLAGS 1
SYSSTATS_MAIN CPUSPEEDNW 646.57331
SYSSTATS_MAIN IOSEEKTIM 10
SYSSTATS_MAIN IOTFRSPEED 4096
SYSSTATS_MAIN SREADTIM
SYSSTATS_MAIN MREADTIM
SYSSTATS_MAIN CPUSPEED
SYSSTATS_MAIN MBRC
SYSSTATS_MAIN MAXTHR
SYSSTATS_MAIN SLAVETHR
SQL> SELECT st.*
2 FROM t_senttsk st INNER JOIN (WITH t_mrgdusr AS (SELECT DISTINCT usr_id
3 FROM t_usr
4 WHERE NVL(usr_mrgemstr, usr_id) = 10000002 /* i_payer_id */
5 )
6 SELECT t_senttsk.setk_id
7 FROM t_senttsk INNER JOIN t_mrgdusr
8 ON t_senttsk.setk_affn_memb = t_mrgdusr.usr_id
9 UNION
10 SELECT t_senttsk.setk_id
11 FROM t_senttsk INNER JOIN t_mrgdusr
12 ON t_senttsk.setk_ownr = t_mrgdusr.usr_id) t_affil
13 ON st.setk_id = t_affil.setk_id;
no rows selected
Elapsed: 00:13:14.54
Execution Plan
Plan hash value: 1241660758
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
| 0 | SELECT STATEMENT | | 169K| 64M| 1403 (3)| 00:00:17 |
| 1 | NESTED LOOPS | | 169K| 64M| 1403 (3)| 00:00:17 |
| 2 | TABLE ACCESS FULL | T_SENTTSK | 136K| 51M| 1400 (3)| 00:00:17 |
| 3 | VIEW | | 1 | 6 | 1 (0)| 00:00:01 |
| 4 | TEMP TABLE TRANSFORMATION | | | | | |
| 5 | LOAD AS SELECT | | | | | |
| 6 | TABLE ACCESS BY INDEX ROWID | T_USR | 1 | 8 | 1 (0)| 00:00:01 |
|* 7 | INDEX RANGE SCAN | IX_NVL_USR_MRGEMSTR_USR_ID | 1 | | 1 (0)| 00:00:01 |
| 8 | SORT UNIQUE | | | | | |
| 9 | UNION-ALL PARTITION | | | | | |
| 10 | NESTED LOOPS | | 1 | 25 | 3 (0)| 00:00:01 |
| 11 | TABLE ACCESS BY INDEX ROWID| T_SENTTSK | 1 | 12 | 1 (0)| 00:00:01 |
|* 12 | INDEX UNIQUE SCAN | PK_T_SENTTSK | 1 | | 1 (0)| 00:00:01 |
|* 13 | VIEW | | 1 | 13 | 2 (0)| 00:00:01 |
| 14 | TABLE ACCESS FULL | SYS_TEMP_0FD9D6608_399116CE | 1 | 6 | 2 (0)| 00:00:01 |
| 15 | NESTED LOOPS | | 1 | 22 | 3 (0)| 00:00:01 |
|* 16 | TABLE ACCESS BY INDEX ROWID| T_SENTTSK | 1 | 9 | 1 (0)| 00:00:01 |
|* 17 | INDEX UNIQUE SCAN | PK_T_SENTTSK | 1 | | 1 (0)| 00:00:01 |
|* 18 | VIEW | | 1 | 13 | 2 (0)| 00:00:01 |
| 19 | TABLE ACCESS FULL | SYS_TEMP_0FD9D6608_399116CE | 1 | 6 | 2 (0)| 00:00:01 |
Predicate Information (identified by operation id):
7 - access(NVL("USR_MRGEMSTR","USR_ID")=10000002)
12 - access("T_SENTTSK"."SETK_ID"="ST"."SETK_ID")
13 - filter("T_SENTTSK"."SETK_AFFN_MEMB"="T_MRGDUSR"."USR_ID")
16 - filter("T_SENTTSK"."SETK_OWNR" IS NOT NULL)
17 - access("T_SENTTSK"."SETK_ID"="ST"."SETK_ID")
18 - filter("T_SENTTSK"."SETK_OWNR"="T_MRGDUSR"."USR_ID")
Statistics
349 recursive calls
275041 db block gets
1239881 consistent gets
26 physical reads
52730252 redo size
3312 bytes sent via SQL*Net to client
240 bytes received via SQL*Net from client
1 SQL*Net roundtrips to/from client
136835 sorts (memory)
0 sorts (disk)
0 rows processed
SQL> SELECT /*+ gather_plan_statistics */ st.*
2 FROM t_senttsk st INNER JOIN (WITH t_mrgdusr AS (SELECT DISTINCT usr_id
3 FROM t_usr
4 WHERE NVL(usr_mrgemstr, usr_id) = 10000002 /* i_payer_id */
5 )
6 SELECT t_senttsk.setk_id
7 FROM t_senttsk INNER JOIN t_mrgdusr
8 ON t_senttsk.setk_affn_memb = t_mrgdusr.usr_id
9 UNION
10 SELECT t_senttsk.setk_id
11 FROM t_senttsk INNER JOIN t_mrgdusr
12 ON t_senttsk.setk_ownr = t_mrgdusr.usr_id) t_affil
13 ON st.setk_id = t_affil.setk_id;
no rows selected
Elapsed: 00:09:15.90
SQL>
SQL> select * from table(dbms_xplan.display_cursor(null, null, 'ALLSTATS LAST'));
PLAN_TABLE_OUTPUT
SQL_ID 2rc9d2c83a7ak, child number 0
SELECT /*+ gather_plan_statistics */ st.* FROM t_senttsk st INNER JOIN (WITH t_mrgdusr AS (SELECT DISTINCT usr_id
FROM t_usr WHERE NVL(usr_mrgemstr, usr_id) = :"SYS_B_0"
/* i_payer_id */ )
SELECT t_senttsk.setk_id FROM t_senttsk INNER JOIN t_mrgdusr
ON t_senttsk.setk_affn_memb = t_mrgdusr.usr_id UNION SELECT
t_senttsk.setk_id FROM t_senttsk INNER JOIN t_mrgdusr ON
t_senttsk.setk_ownr = t_mrgdusr.usr_id) t_affil ON st.setk_id = t_affil.setk_id
Plan hash value: 1065206678
| Id | Operation | Name | Starts | E-Rows | A-Rows | A-Time | Buffers | OMem | 1Mem | Used-Mem |
| 1 | NESTED LOOPS | | 1 | 169K| 0 |00:09:02.47 | 1514K| | | |
| 2 | TABLE ACCESS FULL | T_SENTTSK | 1 | 136K| 136K|00:00:01.64 | 7062 | | | |
| 3 | VIEW | | 136K| 1 | 0 |00:09:00.54 | 1507K| | | |
| 4 | TEMP TABLE TRANSFORMATION | | 136K| | 0 |00:09:00.12 | 1507K| | | |
| 5 | LOAD AS SELECT | | 136K| | 0 |00:08:24.31 | 548K| 1024 | 1024 | |
| 6 | TABLE ACCESS BY INDEX ROWID | T_USR | 136K| 1 | 0 |00:00:06.12 | 410K| | | |
|* 7 | INDEX RANGE SCAN | IX_NVL_USR_MRGEMSTR_USR_ID | 136K| 1 | 0 |00:00:05.41 | 410K| | | |
| 8 | SORT UNIQUE | | 136K| | 0 |00:00:19.10 | 822K| 1024 | 1024 | |
| 9 | UNION-ALL PARTITION | | 136K| | 0 |00:00:17.40 | 822K| | | |
| 10 | NESTED LOOPS | | 136K| 1 | 0 |00:00:08.02 | 411K| | | |
| 11 | TABLE ACCESS BY INDEX ROWID| T_SENTTSK | 136K| 1 | 136K|00:00:06.36 | 411K| | | |
|* 12 | INDEX UNIQUE SCAN | PK_T_SENTTSK | 136K| 1 | 136K|00:00:03.68 | 273K| | | |
|* 13 | VIEW | | 136K| 1 | 0 |00:00:01.03 | 0 | | | |
| 14 | TABLE ACCESS FULL | SYS_TEMP_0FD9D6609_399116CE | 136K| 1 | 0 |00:00:00.67 | 0 | | | |
| 15 | NESTED LOOPS | | 136K| 1 | 0 |00:00:06.54 | 411K| | | |
|* 16 | TABLE ACCESS BY INDEX ROWID| T_SENTTSK | 136K| 1 | 34256 |00:00:05.87 | 411K| | | |
|* 17 | INDEX UNIQUE SCAN | PK_T_SENTTSK | 136K| 1 | 136K|00:00:03.46 | 273K| | | |
|* 18 | VIEW | | 34256 | 1 | 0 |00:00:00.25 | 0 | | | |
| 19 | TABLE ACCESS FULL | SYS_TEMP_0FD9D6609_399116CE | 34256 | 1 | 0 |00:00:00.16 | 0 | | | |
Predicate Information (identified by operation id):
7 - access("T_USR"."SYS_NC00127$"=:SYS_B_0)
12 - access("T_SENTTSK"."SETK_ID"="ST"."SETK_ID")
13 - filter("T_SENTTSK"."SETK_AFFN_MEMB"="T_MRGDUSR"."USR_ID")
16 - filter("T_SENTTSK"."SETK_OWNR" IS NOT NULL)
17 - access("T_SENTTSK"."SETK_ID"="ST"."SETK_ID")
18 - filter("T_SENTTSK"."SETK_OWNR"="T_MRGDUSR"."USR_ID")
hoek wrote:Does rewriting 'the heart of the issue' into like below make any difference?
select a.*
from foo a
where exists ( select null
from bar b
where a.foo_pk_id = b.foo_pk_id
and b.some_col = :bind_var
The UNION in the subquery seems to make that difficult. -
How to give full access to mailbox to users in trusted domain?
Hi,
I am working on a migration-project where we migrate all users from one domain to a new domain. I have Exchange in both domains, and migrates mailoboxes from the old to the new domain. In the old domain I have a number of mailboxes that are used for common
calendars for the departments. My problem is: How can I give the users who has been migrated to the new domain full access to the existing calendar-mailboxex in the old domain? I have given the accounts in the new domain full access to the mailboxes
in the old domain by using to following command: get-mailbox mailboxname | add-mailboxpermission -accessrights FullAccess,ExternalAccount -user newdomain\username
After the command has completed I can see the account listed in the "Manage Full Access Permission"-dialog, but still the new useraccount cannot create appointments etc in the original calendar from Outlook.
Any tips on this?
Thor-EgilHi Thor,
Thank you for your question.
Did the issue occur when we use OWA?
Are there any errors when they cannot create appointments?
We could enable “Support cross forest delegation” on FIM(Forefront Identity Manager) to check if the issue persist.
There is an article for us to how to enable “Support cross forest delegation” by the following link:
http://blogs.technet.com/b/neiljohn/archive/2011/10/12/exchange-server-2010-cross-forest-delegation.aspx
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Jim Xu
TechNet Community Support -
Hi,
I want to fetch the list of users who all are having full access to the sharepoint list using client object model with .Net
Please let me know if any property for the user object or any other way to get it.
Thanks in advance.Here you are complete code i created from some years it lists all groups and users, you can just add a check in the permissions loop to see if it is equal to Full Control.
Private void GetData(object obj)
MyArgs args = obj as MyArgs;
try
if (args == null)
return; // called without parameters or invalid type
using (ClientContext clientContext = new ClientContext(args.URL))
// clientContext.AuthenticationMode = ClientAuthenticationMode.;
NetworkCredential credentials = new NetworkCredential(args.UserName, args.Password, args.Domain);
clientContext.Credentials = credentials;
RoleAssignmentCollection roles = clientContext.Web.RoleAssignments;
ListViewItem lvi;
ListViewItem.ListViewSubItem lvsi;
ListViewItem lvigroup;
ListViewItem.ListViewSubItem lvsigroup;
clientContext.Load(roles);
clientContext.ExecuteQuery();
foreach (RoleAssignment orole in roles)
clientContext.Load(orole.Member);
clientContext.ExecuteQuery();
//name
//MessageBox.Show(orole.Member.LoginName);
lvi = new ListViewItem();
lvi.Text = orole.Member.LoginName;
lvsi = new ListViewItem.ListViewSubItem();
lvsi.Text = orole.Member.PrincipalType.ToString();
lvi.SubItems.Add(lvsi);
//get the type group or user
// MessageBox.Show(orole.Member.PrincipalType.ToString());
if (orole.Member.PrincipalType.ToString() == "SharePointGroup")
lvigroup = new ListViewItem();
lvigroup.Text = orole.Member.LoginName;
// args.GroupsList.Items.Add(lvigroup);
DoUpdate1(lvigroup);
Group group = clientContext.Web.SiteGroups.GetById(orole.Member.Id);
UserCollection collUser = group.Users;
clientContext.Load(collUser);
clientContext.ExecuteQuery();
foreach (User oUser in collUser)
lvigroup = new ListViewItem();
lvigroup.Text = "";
lvsigroup = new ListViewItem.ListViewSubItem();
lvsigroup.Text = oUser.LoginName;
lvigroup.SubItems.Add(lvsigroup);
//args.GroupsList.Items.Add(lvigroup);
DoUpdate1(lvigroup);
// MessageBox.Show(oUser.LoginName);
RoleDefinitionBindingCollection roleDefsbindings = null;
roleDefsbindings = orole.RoleDefinitionBindings;
clientContext.Load(roleDefsbindings);
clientContext.ExecuteQuery();
//permission level
lvsi = new ListViewItem.ListViewSubItem();
string permissionsstr = string.Empty;
for (int i = 0; i < roleDefsbindings.Count; i++)
if (i == roleDefsbindings.Count - 1)
permissionsstr = permissionsstr += roleDefsbindings[i].Name;
else
permissionsstr = permissionsstr += roleDefsbindings[i].Name + ", ";
lvsi.Text = permissionsstr;
lvi.SubItems.Add(lvsi);
// args.PermissionsList.Items.Add(lvi);
DoUpdate2(lvi);
catch (Exception ex)
MessageBox.Show(ex.Message);
finally
DoUpdate3();
Kind Regards, John Naguib Technical Consultant/Architect MCITP, MCPD, MCTS, MCT, TOGAF 9 Foundation -
Problem in Assigning table to access sequence
Dear All,
i am facing problem in assigning table to access sequence for billing output type.
I have created 1 table B902 with the combination of Sales org,plant ,Division,Billing doc type.
but if i am going to assign with access sequence system is taking for Billing type & division & for other its showing red marks & errorr.Access sequence->Aceessess->Field.if i am clicking on field in I/O column for plant its displaying negative.
bcause of this i am not able to make condtion record.
Message is Select a document field for WERKS
Regards
ajit
Edited by: SAP SD AJIT on Mar 1, 2010 3:18 PMHi SAP SD AJIT ,
Go to IMG --> Sales and Distribution --> Basic Functions --> Output control --> Output Determination --> Output Determination using condition technique --> Mantain output Determination for billing document --> Mantain condition table, in the pop-up choose the option "Field catalog: Messages for billing documents", there you can add standard field into the catalog, so you can add WERKS and the other one "document structure" I don't know what field it is, but if it is and standard field you can add it. If you have a Z field you need ABAP help to add the Z field to the structure "KOMKBZ5" and then you can add it to the catalog.
Regards,
Mariano. -
Send As, Send on Behalf and Full Access for Exchange server 2010/2013
[This FAQ contains 2 parts]
Testing and watching the behavior of Send As, Send On Behalf and Full Access permission.
Common issue and Troubleshooting on the three permission.
[Testing and Watching]
Based on following blog, I decide to test on my lab:
Full Mailbox Access Rights + Send On Behalf = Send As ?
http://blogs.technet.com/b/ehlro/archive/2012/04/06/full-mailbox-access-rights-send-on-behalf-send-as.aspx
Description on my lab and test:
Exchange 2010 + Outlook 2010
Exchange 2013 + Outlook 2013
Senders: A01, A02, … , A07, A08
Recipient: A09
A01 grand permission to other senders.
Two methods:
a. Use A0x’s credential configure A01’s profile, then send From both A01 and A0x via Outlook. Watching result in A09’s Inbox and Sent Items which has message copy left.
b. Use A0x’s credential configure A0x’s profile, then send From both A01 and A0x via Outlook. Watching result in A09’s Inbox and Sent Items which has message copy left.
Result as following forms:
1. Exchange 2010 + Outlook 2010 / Exchange 2013 + Outlook 2013
Using A0x’s credential configure A01’s mailbox, then send From both A01 and A0x
To A09.
2. Exchange 2010 + Outlook 2010 / Exchange 2013 + Outlook 2013
Using A0x’s credential configure A0x’s mailbox, then send From both A01 and A0x
To A09.
[Common Issue]
1. [Issue]
Exchange 2010 + Outlook 2010. A01 grand A03 Send As permission. However A03 can’t send as A01 to A09 and get NDR:
You can’t send a message on behalf of this user unless you have permission to do so. Please make sure you’re sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk.
Details as following pic:
[Troubleshooting]
1) Based on the NDR, it seems a permission issue. Check Send As permission, however the Send As permission configured correctly. Pic as below:
2) ince the Send As permission configured correctly, it seems the permission hasn’t been replicated. Try to restart Microsoft Exchange Information Store service. It works.
Note: The Send As permission isn’t granted until after replication has occurred. Replication times depend on your Exchange and network configuration. To grant the permission immediately, stop and then restart the Microsoft Exchange Information
Store service.
2. [Issue]
Exchange 2013 + Outlook 2013. A01 grand A03 Send As permission. However A03 can’t send as A01 to A09 and get NDR:
Your message did not reach some or all of the intended recipients.
Subject: xxx
Sent: xx/xx/2014 8:20 AM
The following recipient(s) cannot be reached: A09
This message could not be sent. Try sending the message again later, or contact your network administrator. Error is [0x80070005-00000000-00000000].
Details as below:
[Troubleshooting]
1) Also check the Send As permission configuration first.
2) Then try to use A03 send as A01 to A09 via OWA. If OWA works well, it seems and issue on the Outlook client side.
3) This behavior may occur if the OAB in Outlook isn’t updated. Try to download OAB manually.
4) If doesn’t work, please close Outlook and try to delete all the OAB folder on your computer. The path of OAB folder in Win7, Win8 as below:
\Users\<UserName>\AppData\Local\Microsoft\Outlook\Offline Address Books
5) Restart Outlook.
Note: Be aware that you cannot send e-mail messages on behalf of a mailbox if the mailbox is hidden from address list. When sending a message, Exchange requires that e-mail address is resolved in the
From field.
3. [Issue]
Exchange 2010. A01 grant A0x “Send As” or “Send on Behalf” permission. A0x send as/ send on behalf of A01. The message is only copied to the Sent Items folder in A0x’s mailbox (same as the result of my test). Also cannot configure Exchange 2010 so that the
message is copied to the Sent Items folder of both A01 and A0x.
[Troubleshooting]
This issue occurs because Exchange server 2010 was designed to copy message to the Sent Items folder of the sender only. This issue can be solved by installing Exchange 2010 SP2 UR4. More details in the following KB:
Messages that are sent by using the "Send As" and "Send on behalf" permissions are copied only to the Sent Items folder of the sender in an Exchange Server 2010 environment
http://support.microsoft.com/kb/2632409/en-us
Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.Nice guide Mavis, I recently explored the same topic. Few things you might want to add is the type of connectivity (Cached vs Online will produce different results) and to expand further on the methods of adding the other mailbox in Outlook (additional mailbox
vs additional account defaults to different methods). Check the screenshot:
And please post this somewhere more visible, like blog/wiki page. -
A user cant see anything in SharePoint calendar with full access
Hi,
I have a wierd issue, where only one user cannot see anything in SharePoint 2010 Calendar, when everyone else can.
The calendar has more than 100 events, and he cannot see anything in Calendar view. The calendar.aspx page comes up with no items in it.
The calendar is very basic with default settings, I also gave the user full access but still nothing changed.
FYI- in list settings, the users can "read all items", not just their own. It happens in all the other calendars also which he opened in front of me.
Also, I logged in with my credentrials on his machine, and I could see all the items.
We were migrating the exchange public calendars manually to SharePoint(about 10 of them), the calendars worked great for so many years without SharePoint, and now after migration the users have to face issues.
ThanksCan you try to use fiddler
to trace why the details are not showing for that particular user? You may get few details to troubleshoot the issue. Does that user see the problem in other machines/browsers as well?
My Blog- http://www.sharepoint-journey.com|
If a post answers your question, please click Mark As Answer on that post and Vote as Helpful -
Auto-Mapping with Full Access Mailboxes-not working in exchange 2010 clients outlook 2013
hello, I have exchange server 2010, the clients are running outlook 2013, I set an mailbox for automapping (full access) but when i restart client it does not appear in the client. i also did the command in the exchange shell, no errors. how can i fix this.
no sp info shows with the
Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersionName
Edition : Enterprise
AdminDisplayVersion : Version 14.0 (Build 639.21)
chart says
Exchange Server 2010 November 9, 200914.00.0639.021
is that the issue need sp 1? -
I have a subscription to Acrobat XI Pro, I thought that gave full access to FormsCentral Plus?
I have a subscription to Acrobat XI Pro, I thought that gave full access to FormsCentral Plus. Is this correct? It shows that I only have 1 online form available.
Hi Rac,
Please contact the Customer Service Contact Customer Care for better assistance on this.
Thanks,
Vikrantt Singh -
Resetting the Registry so other Users have full access to Flash Player 9
Does anyone have a solution for fixing the registry after
installing FP9, so all users can have full access to it.
I found this site
http://www.donglefree.com/toppage1.htm
to fix the installation problem, (and it worked perfectly),
but now all other users have limited access to the Flash Player.
(Some sites still say Flash needs to be installed).
Operating System: Windows XP Home Edition, SP1, Internet.
Exp. Version 6.0.2800.1106.xpsp2.050301-1526
Any help would be appriciated.Has anyone tried this to fix the registry problem?
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_19148 -
OBIEE users have full access unfort.
Hi guys, its my first query. I am a newbie.
My company bought BIEE. I did the configurations and connected it our Active Directory.
Problem is, everyone see everything in the forlders (analysis, dashboards etc...)
I will create roles/policies and anything needed to give them specific permisions. But they all seem to have full Access.
What can be the reason ? I dont want to give full permision to everyoneBy default all users belongs to BI Consumer
There might be something wrong in your roles or assigning users double check
~ http://cool-bi.com -
Single mailbox manage permissions issues full access/send as
Exchange 2010 SP3 RU7
I have a weird issue with one mailbox. This user has 2 AD accounts. Say "userprimary" and "usersecondary". This user was set up by another admin that is no longer here. "userprimary" is the actual mailbox
account.
User logs on to workstation using "usersecondary" AD credentials and manually sets up outlook 2010 to connect to "userprimary" mailbox. The userprimary mailbox has manage full access permissions assigned to it for the usersecondary
account. The userprimary mailbox does NOT have "send as permissions" set up. When the user logs in with "usersecondary" he can access the mailbox fine but can also send email. In theory he shouldn't be able to send as
there are no send as permissions set up on the "userprimary" mailbox.
How is this happening and what can I check to resolve this.Userprimary account > manage full access > add usersecondary account.
Userprimary account > manage send as > nothing exists here.
Person logs onto workstation as usersecondary ad account
Person configures outlook to use userprimary account. (supplies no additional credentials)
Person launches outlook and is able to open userprimary account and send and receive emails.
Both AD accounts are Domain Admins.
Person doesn't need to have under the userprimary account, send as permissions with the usersecondary account specified. Reason seems that in AD, domain admins have 'send as' and 'receive as' set for all accounts. -
Exchange 2010 Unable to Assign Full Access Permissions using a Security Group
I've been running into this issue lately. I cannot seem to use groups to allow full access to mailboxes. When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...". After waiting a day and even restarting
the Information Store service, the permissions do not take effect. When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed.
When I grant a user full permission, it works and updates the attribute. However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute. So the mailbox
will still appear in Outlook, but the user isn't able to see new emails.
Any ideas on what may be going wrong?
Environment:
Exchange Server 2010 SP1 Standard
Windows Server 2008 R2 Standard
Outlook 2010 SP1 (tried without SP1 as well)
I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups. Is this not possible?I never got a proper fix.
I worked around it by creating a script which gets the members of an AD Mail Enabled security group, and updates the full access based on the groups members.
Here's a script I'm running every hour which updates permissions. It's probably not the most efficient script ever, but it works. It has several benefits
1. Managers of the distribution group can add/remove mailbox members using OWA or through the address list
2. New members of groups are added to FULL Access Permissions
3. Members removed from the groups are removed from FULL access permissions
4. Automapping works :)
5. Maintains a log of access added / removed / time taken etc.
Obviously I have had to remove domain related information, replace with whatever your domain requirements are, and PLEASE debug it properly in your environent first, don't complain to me if it wipes out a load of access for you or something like that!
It takes about 5 minutes to run in my environement. Some formatting seems to have got messed up on here, sorry. I hope it is of use!
# Mailbox Permissions Setter for Exchange #
# v1.1 #
# This script will loop through all mailboxes in Exchange and find any where #
# the type is 'SHARED'. These should be determined to be a GROUP/SHARED mailbox #
# and access to these mailboxes are controlled by a single ACL, e.g. 'ACL_Shared_Mailbox'. #
# This script will add any members of these ACLs directly to the Full Access Permissions #
# of the mailbox and also remove them if they no longer need the access. #
# Script created by Jon Read, Technical Administration
# Recent Changes
# 15/11/2012
# 1.1 Added exclusions for ACLs that we don't want automapping to happen for
# 12/11/2012
# 1.0 Initial script
#Do not change these values
Add-PSSnapin *Ex*
$starttime = Get-Date
$logfile = "C:\accesslog.txt"
$logfile2 = "C:\accesslog2.txt"
$totaladditionstomailboxes = 0
$totalremovalsfrommailboxes = 0
$totalmailboxesprocessed = 0
$totalmailboxesskipped = 0
# Exclude any ACLs that shouldn't be processed here if they are used for a non-standard purpose and
# we don't want FULL access mapping to happen. Seperate array values with commas
$ExcludedACLArray = "DOMAIN\ACL_ExcludedExample"
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "#----------------------------------------------------------------#" >> $logfile
Write-Output "# Mailbox Permissions Setter for Exchange #" >> $logfile
Write-Output "# v1.1 #" >> $logfile
Write-Output "#----------------------------------------------------------------#" >> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-output "Start time $starttime ">> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
# Set preferred DCs and GCs
$preferredDC = "preferredDC.domain"
$preferredGC = "preferredGC.domain"
Write-Output " PreferredDC = $preferredDC ">> $logfile
Write-Output " PreferredGC = $preferredGC " >> $logfile
Set-ADServerSettings -PreferredGlobalCatalog $preferredGC -SetPreferredDomainControllers $preferredDC
# The first part of this will ADD permissions to the mailbox, reading from an associated ACL.
# Check for all mailboxes where the type is SHARED. These are the only ones we would
# want to apply group mailbox permissions to.
foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
$totalmailboxesprocessed = $totalmailboxesprocessed + 1
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
Write-Output "| MAILBOX ADDITIONS: $mailbox " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
$mailbox=$mailbox.ExchangeGuid.ToString()
# For each of them, get the distribution list applied to the mailbox (Starting DOMAIN\ACL_)
# We then need it to be turned into a string to use later.
#Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
$changes = 0
foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
$skipACL = 0
#Get the distribution group and put the name in a useable format
$distributiongroup=$distributiongroup.user.tostring()
Write-Output "Found ACL $distributiongroup" >> $logfile
# Check if this distribution group needs to be excluded and if it shouldn't be processed
# then move onto the next ACL. This will stop FULL access being granted if the mailbox is
# used for a non-standard purpose. See the start of this script
# for where these are excluded (ExcludedACLArray)
foreach ($ACL in $ExcludedACLArray )
if ($distributiongroup -eq $ACL)
$skipACL = 1
Write-Output "ACL $distributiongroup is excluded so skipping mailbox " >> $logfile
$totalmailboxesskipped = $totalmailboxesskipped + 1
if ($skipACL -eq 0)
# Get each user in this group and for each of them, add try to add them to full access permissions.
foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
# Get the user to try, convert to DOMAIN\USER to use shortly
$user="DOMAIN\" + $user.alias.ToString()
# Check to see if the user we have chosen from the ACL group already exists in the full access
# permissions. If they do, set $userexists to 1, if they do not, leave $userexists set to 0.
# Set $userexists to 0 as the default
$userexists = 0
foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission)
# See if the user exists in the mailbox access list.
# Change $fullaccessuser to a useable string (matching $user)
$fullaccessuser=$fullaccessuser.user.tostring()
if ($fullaccessuser -eq $user)
$userexists=1
# Break out of foreach if the user exists so we don't unnecessarily loop
break
# Now we know if the user needs to be added or not, so run code (if needed) to add
# the user to full access permissions
if ($userexists -eq 0)
Add-MailboxPermission $mailbox –user $user –accessrights "FullAccess"
Write-Output "Added $user " >> $logfile
$changes = 1
$totaladditionstomailboxes = $totaladditionstomailboxes + 1
#Now repeat for other users in the ACL
#if changes were 0, then log that no changes were made
if ($changes -eq 0)
Write-Output "No changes were made." >> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "---------------------------------------------------------------------------------" >> $logfile
Write-Output " FINISHED ADDING PERMISSIONS" >> $logfile
Write-Output "---------------------------------------------------------------------------------" >> $logfile
Write-Output " " >> $logfile
# The second part of this will REMOVE permissions from the mailbox, reading from an associated ACL.
## Check for all mailboxes where the type is SHARED. These are the only ones we would
## want to apply group mailbox permissions to.
foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
Write-Output "| MAILBOX REMOVALS : $mailbox " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
$mailbox=$mailbox.ExchangeGuid.ToString()
#Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
$changes = 0
# For the current mailbox, get a list of all users with FULLACCESS, and then for each of them
# check if they exist in the ACL
foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.Accessrights -like "FullAccess" })
# Get the security identifier (SSID) of the FULLACCESS user to store for later.
$fullaccessuserSSID=$fullaccessuser.user.SecurityIdentifier.ToString()
$fullaccessuser=$fullaccessuser.User.ToString()
#If user needs to be excluded then skip this bit
#Users added or removed will only start with 07 (07$, 07T, so only run if the user starts with this.
#This stops it trying to remove NT AUTHORITY\SELF and other System entries
if ($fullaccessuser -like "DOMAIN\07*")
# Set $userexists to be 0. if we find the use user needs to remain, then change it to 1.
$userexists=0
# Check if this user exists in the ACL, if not, remove.
foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
$distributiongroup=$distributiongroup.user.tostring()
#Write-Output "Found associated distribution group $distributiongroup" >> $logfile
# Get each user in this group and for each of them, See if it matches the user in the mailbox.
foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
# Get the user to try, convert to DOMAIN\USER to use shortly
$userguid = $user.Guid.ToString()
$user="DOMAIN\" + $user.alias.ToString()
if ($fullaccessuser -eq $user)
$userexists=1
#we have found the user exists so no need to continue
break
# If userexists = 0, then they are NOT in the ACL, and should be removed from
# the full access permissions. Run the code to remove them from full access.
#CONVERT FULLACCESSUSER TO GUID AND REMOVE $FULLACCESSUSERGUID NOT $USERGUID
if ($userexists -eq 0)
Remove-MailboxPermission -Identity $mailbox –user $fullaccessuserSSID –accessrights "FullAccess" -Confirm:$false
Write-Output "Removed $fullaccessuser " >> $logfile
$changes = 1
$totalremovalsfrommailboxes = $totalremovalsfrommailboxes + 1
# if changes = 0, no changes were made to this mailbox, so log this fact.
if ($changes -eq 0)
Write-Output "No changes were made." >> $logfile
#Put the time in a displayable format
$endtime = Get-Date
$runtime = $endtime - $starttime
$runtime = $runtime.ToString()
$runtime1 = $runtime.split(".")
$totaltime = $runtime1[0]
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
Write-Output "| SCRIPT COMPLETE : STATS " >> $logfile
Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
Write-Output "| Total Mailboxes Processed : $totalmailboxesprocessed " >> $logfile
Write-Output "| Total Additions : $totaladditionstomailboxes " >> $logfile
Write-Output "| Total Removals : $totalremovalsfrommailboxes " >> $logfile
Write-Output "| Total Mailboxes Skipped due to ACL : $totalmailboxesskipped " >> $logfile
Write-output "| Start time : $starttime ">> $logfile
Write-output "| End time : $endtime ">> $logfile
Write-Output "| **END OF RUN** - Elapsed time : $totaltime " >> $logfile
Write-Output "|---------------------------------------------------------------------------------------" >> $logfile
Write-Output " " >> $logfile -
Good Day,
There is a previous employee that was a Systems Admin and somehow he granted himself access to Every Mailbox item at one point in time and the cleanup has been a bit messy.
When this user is listed as "Full Access Granted" in the Manage Full Access Permissions function, and I delete him, I get a confirmation that he was removed, but then an additional item below it. (This is depicted in the attached photo)
How do I remove the hierarchical inheritance of this user?
the commands in the photo show:
Remove-Mailboxpermission -identity %OU String% -user %user% -inheritancetype 'All' -Accessrights 'FullAccess'
Add-Mailboxpermission -identity %OU String% -user %user% -Deny -Accessrights 'FullAccess'Hello,
I have removed permission to this user in ADSI Edit Microsoft Exchange Configuration CN and ensured that his name was no where to be found in the ADSI permissions for Exchange. I was running the following command:
Get-Mailbox | Remove-MailboxPermission -User %USER% -AccessRights FullAccess,SendAs,Exter
nalAccount,DeleteItem,ReadPermission,ChangePermission,ChangeOwner -InheritanceType All
and I get a return warning:
WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl,
WriteOwner, ControlType: Allow]
and was ignored on object "CN=%FullAccessUser%"
How can I ensure that this user had NO permissions at all to the exchange mailboxes? -
Unable to Download Condition Tables and Access Sequences from R/3
Hi Experts,
We have a new set of condition tables and access sequences created in R/3. Now we need to download them to CRM, which we are unable to perform. We tried downloading DNL_CUST_CNDALL, but there is no use. The new condition tables are not getting pupulated. Moreover when I download this object, the corresponding CNCCRMPRCUS* table for the new condition type is not getting generated in CRM.
The strange thing is the above mentioned tables when created in "development and quality" boxes are getting into respective CRM systems. We are using CRM 4.0.
Your help will be appreciated.
Regards,
AjayHi Ajay
Please check the transaction SLG1 which gives you very good inputs on the errors which would have happened during customizing or condition download
Check the customizing download by giving the following parameters
Object : cond_exchange
Subobject :customizing
Give the date on which the recent customizing download of DNL_CUST_CNDALL was performed.Check whether there are any errors!!if there are errors on then those needs to be corrected so that the new condition tables and access sequences get downloaded correctly to CRM.
Thanks,
Abishek
Maybe you are looking for
-
Problems with a recursive stack
Hello! I?ve got problems with a recursive stack. I?ve got a stack overflow error. Here is my push method. public void push(Object o) StackRekursiv stack = new StackRekursiv(); stack.top = top; stack.rest = rest; if(top==null && rest==
-
Tunes not copying from iTunes to iPod -- frustration
I have a new iPod, 5th generation 60 gig. I have about 20,000 tunes in my songlist. Four (4) of them will not load into the iPod from iTunes. I have AppleCare on my powerbook, so I called to see what could be done. I was told that I have to manually
-
Service entry sheet in Extended classic
Dear all, I would like to check with you, what possibilities does the extended classic scenario give us for GR of services? Currently we have limit POs for transportation services and we would like to know, how the confirmation of monthly transportat
-
Is there a driver for windows 7 64 bit for faxphone L80.?
is there a win 7 64 bit driver for faxphone L80?
-
Is Time Capsule A1254 compatible with Mountain Lion?
I am trying to download the firmware update 7.3.1 and unable to do so. Any suggestions? Thank you.