Forum Discussion
Full access with mail enabled security group access denied
Hello,
I read the MS docs Add-MailboxPermission docs (https://docs.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission?view=exchange-ps) and the User parameter accepts security groups too.
I run the following command:
Add-MailboxPermission -User xch_full-access (this is the group) -Identity $mbox -AccessRights fullaccess -AutoMapping $false -ErrorAction stop
It goes okay, still if I go to OWA, and trying to open up the mailbox I get access denied. If i check the ECP panel, I can see at the mailbox delegation section at full access the added group.
What am I missing, or what am I doing wrong?
according to this topic this is not possible: https://community.spiceworks.com/topic/2162187-how-do-i-give-members-of-a-security-group-access-to-a-user-mailbox
X-OWA-Error Microsoft.Exchange.Clients.Owa2.Server.Core.OwaExplicitLogonException X-OWA-Version 15.1.2308.20 InnerException: Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException
- On 03.26. I posted a reply dont know why it is not display. Trying again.
EdTheFil I tried the step same error unfortuantelly.
Deleted I did create a new db, to move two test mailboxes in it, to see if it is working on a fresh mail db. The new db asked for Information store restart, wich I can not do in the worktime. Today I will write a simple line of code to restart the service at night.
My other plan was to restore the db and the logs from backup to new drive. And check the db's yesterday state. I tried to check the restored db, but, eseutil said that the db is not up to date, because some log files are still needed to be wrote in the db. Anyway I tried the /g switch, it warn me before it could result corrupted database, well it did.- Update: I created a new test mailbox database, and move two mailboxes to it. Here the access via group works. I suppose the mail db is not perfect, so I am doing a check, and requesting maintenance window, to check the original db in offline state.
brogyi Be sure having a working backup. 😉 I‘m keen on hearing from you after finishing your work.
- EdTheFil I did check the e-mail connectivity tab, Outlook on the web is enabled.
Deleted What about granting full access to a single user account. Does this work? --> It does.
similar cases which pointed in the direction of a corrupt database. --> could you help me with cheking an online database itegrity? Or how should I check it? we have only one.
I am using the /g switch to check the db (which is in use).
Probably this is the root cause, I am getting Jet error 1032, JET_errFileAccessDenied, can not acces file is locked or in use. How should I proceed?- Before creating another DB I would try to repeat the steps using just web GUI. Open ECP, go to Group tab and create another security group. Click + symbol and choose Security Group. Is the group created, go to Mailboxes tab (or Shared in case the target mailbox is shared) , find the mailbox you want to grant access to, open it's properties and choose Mailbox Delegation. Scroll down to Full Access and add this newly created group. Add yourself to the group and after a couple of minutes try to open the mailbox in OWA.
I am sure that you probable already know all these simple steps, but I would give a try. You probably will create a new database, move all mailboxes to the new one and see, if this fixes the issue. A mailbox move often solves issues.
I personally wouldn't use ESEutil and Isinteg without Microsoft support. Most of the checks and finally a repair can't be run against an online database. So if you can't move mailboxes to another DB you will have downtime. Depending on your hardware it could be a short or longer one.
First read these two articles and then stick to the Microsoft documentation.
https://www.stellarinfo.com/blog/microsoft-exchange-data-storage-connection-failedtransientexception/https://www.stellarinfo.com/blog/exchange-2013-2016-database-repair-eseutil-or-isinteg/
But first of all wait for some more hints. Maybe the "corrupt database" thing points into a totally wrong direction.
- Have you checked in ECP if the target user's mailbox is OWA enabled? Just to be sure. You will find it under Email Connectivity -> Outlook on the web
- Did you take notice of https://docs.microsoft.com/en-us/exchange/recipients/mailbox-permissions?view=exchserver-2019? Maybe the kind of group doesn't fit?
- The target mailbox is not hidden. The target mailbox is a user mailbox. The delegate was created in EAC and is a mail enabled security group. So I still think it should work.
How can I get more information of the error? Beside that owa gives me (not too informative). Or what else should I check?
