Hello,
Environment:
User Forests
UFA.com– Windows 2008 R2 Domain Controllers
UFB.com– Windows 2003 Domain Controllers
UFC.com– Windows 2003 Domain Controllers
Resource Forest
RFE.com– Exchange 2010 SP1R6 containing linked mailboxes (with disabled accounts) to accounts in the three user forests.
Information
There is a one way trust between each User Forest and the Resource Forest, where the Resource Forest trusts the User Forest.
Clients use Outlook 2007/2010
The SID of the linked users for UFB.com and UFC.com are listed in the SID History of the disabled account that has the linked mailbox in the Exchange 2010 Resource Forest. The SidHistory got placed there by an ongoing Quest Exchange Migration from Exch2003 (existing in the UserForest) to an Exchange 2010 Resource Forest.
Test Users:
UFA.com\Allen
UFB.com\Billy
UFC.com\Connie
RFE.com\MailboxShare
Using Exchange Powershell I give UFB\Billy full mailbox access:
get-mailbox "RFE\MailboxShare" | add-mailboxpermission -user "UFB\Billy" -AccessRights FullAccess
Result:
Identity, User, AccessRights, IsInherited, Deny
RFE.com/OU/Billy, RFE\Billy, {FullAccess}, False, False
Using Exchange Powershell I now give UFA\Allen full mailbox access:
get-mailbox "RFE\MailboxShare" | add-mailboxpermission -user "UFA\Allen" -AccessRights FullAccess
Result:
Identity, User, AccessRights, IsInherited, Deny
UFA.com/OU/Allen, UFA\Allen, {FullAccess}, False, False
Notice that in the results for UFB\Billy, it used the Disabled account that has the linked mailbox in the Exchange Resource Forest. It seems that because the SID of UFB\Billy exists on the disabled account in the SidHistory attribute, the disabled account is used. You can see the same as above when looking at full mailbox permissions in EMC.
Notice that in the results for UFA\Allen, it used the account in theUFA.com user forest. The SID of UFA\Allen is not in the SidHistory on the Disabled account in the Exchange Resource Forest.
The problem is that UFB\Billy does NOT have full access to the mailbox. UFB\Billy cannot open the mailbox by adding the mailbox to his Outlook profile.
UFA\Allen does have full access!
We have resorted to using delegation to get around this. For example, DelegatingUFB\Billy to have Editor Permissions through the Outlook Delegation settings. However we have 3<sup>rd</sup> party applications that are not delegate aware, and expect to have full mailbox permissions on a shared mailbox. These 3<sup>rd</sup> party applications state that UFB\Billy does not have full mailbox permissions.
Very soon due to requirements of other Resource Forest projects such as RMS and Lync, we will be adding the SidHistory of users in UFA to the Disabled Accounts that have the linked mailbox in the Exchange 2010 Resource Forest. I expect UFA.com Users to lose their full mailbox permissions when we do this.
Does anyone see the same results I do? I hope this was clear enough. I appreciate any assistance.
~~~ Mark Orser Pernod Ricard Americas