Friday 28 August 2009

MapiExceptionNotAuthorized in Exchange 2007

I thought I would share with everyone an issue we had with mail delivery to Public Folders in Exchange 2007. We were receiving the following error:

#550 5.2.0 STOREDRV.Deliver: The Microsoft Exchange Information Store service reported an error. The following information should help identify the cause of this error: "MapiExceptionNotAuthorized....

This happened for some staff, but others could deliver messages just fine. Also external users i.e. Hotmail could deliver messages to the PFs without issue.

You would imagine then there must be a deny rule somewhere for a specific group of staff, or there was something wrong with the permissions on the PF. Numerous tests and checks proved this to not be the case.

Fortunately a pattern started to emerge with the people having the problem i.e. they were all in the same faculty and members of specific groups. Further testing proved that if a user was a member of a few groups their messages/emails would be denied to ALL PFs. However the groups were not mentioned anywhere in the PF permissions.

We even created new mail enabled PFs and gave everyone full control with no denies... still no luck. After a bit more thinking we figured that it must be that Exchange is having trouble reading the group membersip. We soon found that the OUs containing the problem groups of which the problem users were members, had inheritance switched off and hence had not picked up the new Exchange 2007 permissions when we installed EX2007. They still allowed the old Exchange Enterprise Servers group acccess which worked for EX2003, but no access was in place for the EX2007 Exchange Servers group. The OUs had also had read permissions removed for Pre-Windows 2000 (Everyone) and Authenticated Users. Therefore Exchange was denying the user access as it could not fully recurse the users ACLs. I guess this is secure by default in action, although it seems like a bit of an inefficient design to me.

I hope this saves someone a bit of time as it took us ages to get to the bottom of it.

Posted by Rob Head at 13:28

Labels:

2 comments:

Unknown said...

Great find! This exact thing heppend to me this week, and your blog led me to the solution.

Thanks for the blog!

12 November 2009 at 22:09
Anonymous said...

Really a good post.

27 July 2011 at 05:14

Post a Comment

Subscribe to: Post Comments (Atom)