Full access with mail enabled security group access denied

Brass Contributor

Hello,

I read the MS docs Add-MailboxPermission docs (https://docs.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission?view=exchange-ps) and the User parameter accepts security groups too.

 I run the following command:

Add-MailboxPermission -User xch_full-access (this is the group) -Identity $mbox -AccessRights fullaccess -AutoMapping $false -ErrorAction stop

It goes okay, still if I go to OWA, and trying to open up the mailbox I get access denied. If i check the ECP panel, I can see at the mailbox delegation section at full access the added group.

What am I missing, or what am I doing wrong?
according to this topic this is not possible: https://community.spiceworks.com/topic/2162187-how-do-i-give-members-of-a-security-group-access-to-a... 

X-OWA-Error Microsoft.Exchange.Clients.Owa2.Server.Core.OwaExplicitLogonException
X-OWA-Version 15.1.2308.20
InnerException: Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException
18 Replies
The target mailbox is not hidden. The target mailbox is a user mailbox. The delegate was created in EAC and is a mail enabled security group. So I still think it should work.
How can I get more information of the error? Beside that owa gives me (not too informative). Or what else should I check?
Could you please post the results of "get-mailboxpermission $mbox" and "get-casmailbox $mbox | fl owaenabled"?

@Deleted 

this is the get mailboxpermission with format list


RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : domainName\delegate user
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess, ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SELF
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : domainName\xch_full-access-1-1356144182
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : domainName\Tartománygazdák (<-- maybe "domain owners" not sure how to translate, it is a built in group)
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : domainName\Vállalati rendszergazdák (<-- maybe "domain administrators" not sure how to translate, it is a built in group)
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : domainName\delegate user
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : domainName\Organization Management
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SYSTEM
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\HÁLÓZATI SZOLGÁLTATÁS (<-- network service)
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : domainName\Tartománygazdák (<-- maybe "domain owners" not sure how to translate, it is a built in group)
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : domainName\Vállalati rendszergazdák (<-- maybe "domain administrators" not sure how to translate, it is a built in group)
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : domainName\delegate user
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : domainName\Organization Management
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : domainName\Public Folder Management
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : domainName\Delegated Setup
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess, ReadPermission}
Deny            : False
InheritanceType : All
User            : domainName\Exchange Servers
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : domainName\Exchange Trusted Subsystem
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

RunspaceId      : 5c55fc5e-0b2f-4ad4-8e71-940942488e19
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : domainName\Managed Availability Servers
Identity        : domainName.hu/domainName/Users/teszt/Teszt Barnabás
IsInherited     : True
IsValid         : True
ObjectState     : Unchanged

The get-casmailbox owa enabled property is set to true

 

brogyi_0-1648104956923.png

 

Is "teszt.barnabas" member of the group "xch_full-access-1-1356144182"?
no-no, teszt.barnabas is the test user who's mailbox should be viewed through the xch_full_access group. To be clear in the Add-MailboxPermission the -identity is teszt.barnabas the test user and the -user is xch_full_access the security group.

Ok, I missed that. Sorry. What about granting full access to a single user account. Does this work?

I'm still wondering if all rights are set correctly. But while searching the web I saw some similar cases which pointed in the direction of a corrupt database. Maybe this happened to you, either.

Have you checked in ECP if the target user's mailbox is OWA enabled? Just to be sure. You will find it under Email Connectivity -> Outlook on the web
@EdTheFil I did check the e-mail connectivity tab, Outlook on the web is enabled.
@Deleted What about granting full access to a single user account. Does this work? --> It does.
similar cases which pointed in the direction of a corrupt database. --> could you help me with cheking an online database itegrity? Or how should I check it? we have only one.
I am using the /g switch to check the db (which is in use).
Probably this is the root cause, I am getting Jet error 1032, JET_errFileAccessDenied, can not acces file is locked or in use. How should I proceed?

You probably will create a new database, move all mailboxes to the new one and see, if this fixes the issue. A mailbox move often solves issues.

I personally wouldn't use ESEutil and Isinteg without Microsoft support. Most of the checks and finally a repair can't be run against an online database. So if you can't move mailboxes to another DB you will have downtime. Depending on your hardware it could be a short or longer one.

First read these two articles and then stick to the Microsoft documentation.
https://www.stellarinfo.com/blog/microsoft-exchange-data-storage-connection-failedtransientexception...

https://www.stellarinfo.com/blog/exchange-2013-2016-database-repair-eseutil-or-isinteg/


But first of all wait for some more hints. Maybe the "corrupt database" thing points into a totally wrong direction.

Before creating another DB I would try to repeat the steps using just web GUI. Open ECP, go to Group tab and create another security group. Click + symbol and choose Security Group. Is the group created, go to Mailboxes tab (or Shared in case the target mailbox is shared) , find the mailbox you want to grant access to, open it's properties and choose Mailbox Delegation. Scroll down to Full Access and add this newly created group. Add yourself to the group and after a couple of minutes try to open the mailbox in OWA.
I am sure that you probable already know all these simple steps, but I would give a try.
On 03.26. I posted a reply dont know why it is not display. Trying again.
@EdTheFil I tried the step same error unfortuantelly.
@Deleted I did create a new db, to move two test mailboxes in it, to see if it is working on a fresh mail db. The new db asked for Information store restart, wich I can not do in the worktime. Today I will write a simple line of code to restart the service at night.
My other plan was to restore the db and the logs from backup to new drive. And check the db's yesterday state. I tried to check the restored db, but, eseutil said that the db is not up to date, because some log files are still needed to be wrote in the db. Anyway I tried the /g switch, it warn me before it could result corrupted database, well it did.
Update: I created a new test mailbox database, and move two mailboxes to it. Here the access via group works. I suppose the mail db is not perfect, so I am doing a check, and requesting maintenance window, to check the original db in offline state.

@brogyi Be sure having a working backup. 😉 I‘m keen on hearing from you after finishing your work.

Yesterday I did the maintenance. I dismounted the database and run the /mh switch check the output everything okay, clean state no waiting transactions. Starting with integrity check using the /g switch. The check was quite a time, but it found No error. I did prepare some repair cases, but I did not expect no error. I ran NewMailboxRepairRequest on all mailboxes, with all switches.
Today morning I checked the access, and it seems working fine. So I ran a PowerShell script to add the group to all mailboxes. After the script completed I picked a random mailbox and tried to open it. It did not work!
Here comes the interesting part. I do have a test mailbox who was in the test group (xch_test) for days. Steps I did:
1. I manually added the test group to a random mailbox to give full access
2. Tried to open the random mailbox with the test user – it succeeded
3. Added my account to the test group
4. tired to open the same random mailbox – it Not worked, same permission error

I did logoff from OWA, from Exchange server, login, not helping. Why is the Exchange is not aware of that my user is part of the group?
I moved 10 mailbox to a new database. I can access them via group fine. Note they already have the group added at the full permission tab. If I create a new user mailbox, at the new database and adding the security group to it, the error still happening. Meaning (to me) the original old database has no problem. Something else is working here differently. I can't move newly created mailboxes between databases just to make this work... Why is this happening?
Now it is working. I checked the replication, no error, but the Exchange server and the domain controllers are in one site. I do not understand at all this behaviour.
Hi brogyi,

It is really something weird, there is some inconsistency around. What happens if you add a user directly to ACL of a newly created mailbox? Try to bypass the group.