Outlook 2003 is prompting my Active Directory users for their logon credentials when opening their mailbox?
Since your "Domain Admins" can access their mailboxes without problems this doesn't point to a database mounting problem. Has somebody been playing around with permissions in the Active Directory? Start by querying everybody who would have access to do such a thing (Enterprise Admins, Domain Admins).
Are you seeing anything amiss in the event logs on the Exchange Server computer? That is the absolute first place to look.
Perhaps an obvious question, since you say it was working y'day, but: The client computers are joined to the domain and the users are logging-on with domain accounts and not local accounts-- correct?
I'd examine the default permissions on the Exchange organization by turning on the "Security" tab in Exchange System Manager (create a REG_DWORD value called "ShowSecurityPage" in the key "HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin").
I'm having a really hard time finding a doc from Microsoft that describes the default top-of-the-organization permissions for Exchange 2003! It would probably be easiest if you dumped a copy of the ACL using the DSACLS command and added that as an edit to your question.
To formulate the command-line for the DSACLS command you're going to need to know the distinguished name of your Exchange organiation. The easiest way to do this is to install the "Windows Support Tools" from the W2K3 CD, in the "SUPPORT" folder. After you've got that installed, start "ADSIEDIT.MSC" from Start / Run.
Expand the "Configuration" container in the left pane, the "CN=Configuration,..." sub-node, the "CN=Services" container, and the "CN=Microsoft Exchange". In that "CN=Microsoft Exchange" container you'll find your Exchange organization as a "CN=Organization Name Here" node.
Bring up the properties for your organization, scroll down to the "distinguisedName" attribute, highlight it and click "Edit", and copy the contents of the "Value" text-box (making no changes!).
Close up ADSIEDIT. Click Start / Run and enter the following command, pasting in the "distinuguiedName" value you copied inside the double-quotation marks (leaving the double-quotation marks in the command):
CMD /C DSACLS "paste distinguishedName value here" > %TEMP%\ACL.TXT
A window will briefly appear and close. Click Start / Run and enter the command:
%TEMP%\ACL.TXT
This will bring up your top-level Exchange organiation permissions in a Notepad window.
Related videos on Youtube
03 : 09
04 : 21
13 : 05
07 : 55
03 : 35
HeavyObjectLifter
Updated on September 17, 2022Comments
-
HeavyObjectLifter over 1 year
I am running Exchange 2003 for a mail server, and Windows Server 2003 as my NOS.
When users attempt to open Outlook 2003 and gain access to their mailbox, the system is prompting them for a username/password. Even when the correct credentials are entered, the box just prompts them again, and again...
These users had un-prompted access to their accounts yesterday without any problems or prompts. Today I have the credential prompts.
For any user with Domain Admin, the system does NOT prompt them. They have access just like the did before today - just double-click on the Outlook icon, and the mailbox opens.
I can ping the server, ping by FQDN, and ping by short-DNS-name. I can browse sites and resolve DNS addresses outside of my domain, and those within.
I need to get my users access to their mailboxes without a prompt, and without granting additional privileges. Upgrading software or operating systems is not an option.
I have no clue where I should go from here... any help is greatly appreciated.
-
Thomas van Broekhoven almost 15 yearsI have exactly the same problem, but I got it from the very beginning. -
HeavyObjectLifter almost 15 yearsQuick Update... My superiors have made one of the wildest decisions. We have added all users to the main admin group to get the network back up. Yes, I explained the huge risk, and they accepted the risk. sigh We are building new exchange servers on the domain, creating some test OU structures, and researching an interesting log entry about the event log being full. I will post here often, but if anyone has any ideas, I would love to hear them.
-
-
HeavyObjectLifter almost 15 years1. I have the servers and clients updated from windows update on the the 17th of June, same with VirusDefs. 2. Our WSUS server isn't online yet. This network is in its infancy, having only been stood up 10 days ago. Also this is a closed network, with no internet or external access. 3. What events should I be looking for? I have no abundance of failed logon attempts... 4. This happens even on brand new users and test accounts, but I will try. 5. Define bounce... I have rebooted once, but I do not want to again.
-
HeavyObjectLifter almost 15 yearsYes, all computers are added to my domain, and users are using their domain credentials.
-
HeavyObjectLifter almost 15 yearsHi Evan. As I said, the network is not connected to any outside network, so I am unable to post it here. Is there anything particular that I should be looking for in that file? Thanks for taking to time to help. I appreciate it.
-
Spence almost 15 yearsDomain Admins have been explicity denied access to all user mailboxes since Exchange 2000 by default, actually.
-
Spence almost 15 years@Dodger: Here's a link to a dump of the ACL at the top of an Exchange 2003 organization. This one, like yours, has the explicit "Deny / Receive As" permissions removed for "Domain Admins", etc. mx02.wellbury.com/misc/…
-
SpaceManSpiff almost 15 yearsOk I stand corrected, but my advice to verify the permissions for the account account still stands.
