Exchange user mailbox permissions issues

An IT infrastructure so organic, sometimes I feel like this guy.
An IT infrastructure so organic, sometimes I feel like this guy.

I work for a company who’s network and server environment represent a fairly common scenario in the corporate IT world. They had moved to Active Directory and Exchange about a decade ago and continued to upgrade and grow based off of a general configuration or structure that had been established when those services (AD, Exchange, etc.) were first set up.

Over time, various administrators made changes to these systems to accommodate new services, programs, and initiatives. These changes, being completely necessary and reasonable caused the IT infrastructure to grow and change in a somewhat organic fashion. When I use the word organic in this case, I mean it in the sense that servers and the network were configured around the changing needs of the company, bit by bit. Consequently, I occasionally run into quirks or issues like the one I’ll be discussing below. I like to think these quirks give the infrastructure character. It keeps me on my toes.

I was changing an Exchange user’s mailbox properties the other day to remove a quota that had been set. When I clicked the OK button to apply the new settings to the mailbox, I received the following error:

ExchangePermissionsErrorThe error message is as follows:

“Error: Active Directory operation failed on emailserver.organization.com. This error is not retriable. Additional information: insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights. “
 

After some moderate googling, I came across some blog and support forum posts by others who had encountered this error. The general consensus was to check the user’s AD security settings to ensure that the “Exchange Enterprise Servers” group had appropriate permissions. Permissions could be fixed by ensuring that inheritance was applied to the user.

ExchangePermissionsError1

I confirmed that the user object had inheritance enabled but I was still unable to apply the changes to the mailbox. I had gone back to skimming the blogs again when I noticed a suggestion in a post to check the inheritance settings for the OU that the user account was in. It turns out that the OU’s inheritance setting had been disabled.

ExchangePermissionsError2

The story goes as follows:

At some point before we had upgraded to Exchange 2010, we had delegated some permissions for the Help Desk so that they could reset user’s passwords. There were some users, people in Accounting, HR, and Executives who’s passwords we felt the Help Desk should not be able to reset. The delegated permissions had been set on an OU that the user’s department OUs were sub-OUs of. In the above example, the North America OU would be where the delegated permissions for the Help Desk had been set. The sub-OU’s (Executives, Marketing, IT, Etc.) would inherit those permissions unless inheritance was disabled in their security settings.

In the end, I concluded that disabling inheritance to the affected user’s OU, prevented the application of new permissions to that user’s account that would have been set when we updated to Exchange 2010. To resolve the issue, I had to go ahead and re-enable inheritance on the department OU of the user who’s mailbox quota I couldn’t change. This caused the necessary permissions which had changed or been added with the upgrade to Exchange 2010, to be applied to the user’s account.

I still wanted to prevent the Help Desk from being able to reset the user’s passwords, so I disabled inheritance on the OU in question and manually removed the permissions that I didn’t want applied to the users. I think that the delegation of rights to the Help Desk maybe should have been applied differently but that’s the moral of this story: The reality of IT is that very rarely if ever,  is any configuration ideal for all uses and situations. Tread carefully, it’s a jungle out there.

Further reading:
Technet 
Advertisements

Why you should care about The EFF

Join EFF!

 

 

 

EFF stands for the Electronic Frontier Foundation. The Electronic Frontier Foundation is a non-profit organization that works mostly in the legal system to fight corporate and government infringement of people’s rights, especially where technology is concerned. Think Atticus Finch meets the kids from Hackers and you’re kinda, sorta, not really there but you get where I’m going with this, right?

Anyway, the EFF has guts. Their first legal battle was to help a small roll playing game developer (Steve Jackson Games) who had been illegally raided and nearly financially ruined by the United States Freakin’ Secret Service. The EFF then went on to square off against many more bullies; defending the privacy, rights, and values of people who like freedom. You can check out a list of their exploits here: https://www.eff.org/cases

The EFF also works to raise awareness about privacy, fair use, and freedom of speech issues through whitepapers. They have a wonderful Bloggers’ Rights section on their website with tons of information including a legal guide for bloggers.

My point here is, the EFF is working hard to keep The Internet free and user’s privacy and rights intact; if you value those things, you should probably support them by donating.

You can donate to the EFF by going here: https://supporters.eff.org/donate.

Oh yeah, and Adam Savage of Mythbusters fame thinks they’re cool too.

So you want to learn to pick locks

Pin_and_tumbler_lock_pickingLockpicking is awesome. No lie. Picking open your first lock is exciting, unsettling, and possibly addicting. It’s exciting in the sense that you become aware that locks can be viewed as mechanical puzzles and that once you know how to solve them, you have the keys to the kingdom.  It’s unsettling because once you get the hang of it, you start to realize just how easy it could be to pick the locks that you depend on to keep you and your possessions safe. Picking locks is addicting because of the exhilaration, the sense of empowerment, the thrill of exerting your will toward something designed to prevent you from opening it without a key and prevailing.

Lockpicking isn’t just for spies and thieves. In most states in the US, picking locks that you own is entirely legal. Yes, this skill can be used for nefarious purposes but in most cases, if you want to break into a building, using a hammer, or even a rock is a much quicker and more effective way to gain entry – it works every time. Lockpicking is growing as a legitimate hobby and there are competitions in the US and internationally where enthusiasts get together and compete in lockpicking races and other challenges.

So now that you’re interested in lockpicking, the question is how do you get started? Well, I’ve been interested in this subject for quite some time and I have found several links and resources that have proven to be extremely useful. Lucky for you, I have gathered and listed those resources below.

 

Buying lock picks

To get started, you’ll need some picks. Toool (that’s with three o’s) is The Open Organization of Lockpickers. Toool’s purpose is to “advance the general public knowledge about locks and lockpicking. By examining locks, safes, and other such hardware and by publicly discussing our findings we hope to strip away the mystery with which so many of these products are imbued.” Their “Beginner’s Blend Pick Kit” can be purchased from their website at a reasonable price here: http://toool.us/equipment.html

Lock picks can also be purchased from these sites: 
http://www.sparrowslockpicks.com/
http://www.lockpicks.com/
 

Locks for learning how to pick

If you want to stay out of trouble, you should only ever pick locks that you own, or locks that you have been given permission to pick by the owner. So what locks are good for learning how to pick? I think that there’s an informal consensus among lock pickers that the Master Lock number 3 model is one of the best locks for beginners to learn on. It has only four pins in it which means that it is usually somewhat easier to pick than a lock with five or six pins. Locks can become harder to pick over time as the parts become fatigued from use. As someone who is learning lockpicking, you will probably want to go out and buy a new lock instead of using that rusted old padlock that’s keeping the shed door closed. The Master Lock number 3 is  easy to find at most hardware stores as it is a very popular and inexpensive model of lock.

There are also sets of locks for learning how to pick called progressively-pinned locks. Usually a set of progressively-pinned locks starts with a lock that only has one pin in it. Once you get the hang of picking a lock with one pin in it, you can move on to the next lock in the set that has two pins, and so on. Many sites that sell lock picks, also sell progressive-pinned locks. You can buy a set of progressively-pinned locks from the US Toool website as well: http://toool.us/equipment.html

 

Educational resources

Next you’ll also want some instructions, guidance, some information on how to go about this lockpicking business. There are some really cool people who invested a lot of time and effort into creating some fantastic resources that will help you learn how to pick locks.

This guy who goes by the name Deviant Ollam, wrote THE BOOK on lockpicking. The title of this book is “Practical Lock Picking, Second Edition: A Physical Penetration Tester’s Training Guide”, ISBN-13: 978-1597499897. You can pick it up from Amazon by clicking on the link here: http://amzn.com/1597499897

Schuyler Towne is obsessed with locks and lockpicking. So much so, in fact, that he put together a terrific series of instructional videos that cover the very basics all the way up to intermediate and advanced topics in lockpicking. Mr. Towne released these videos for free on You Tube and can be viewed here: http://www.youtube.com/playlist?list=PL66CD42F86F3A1F85

 

Meetings and  groups

Are you interested in lockpicking but not sure you’re ready to jump in with both feet? There are lockpicking groups all over the US that meet up usually every month where you can get hands-on training by enthusiastic and friendly people. There are many lockpicking groups in the US but probably the one that’s most wide-spread is the US Division of Toool. If you’re interested in attending a Toool meeting in the US, chapter meeting locations and times can be found here: http://toool.us/meetings.html 

 

Other resources

There are many forums and sites dedicated to lockpicking but I have found Lockpicking101.com to be one of the best.

http://www.lockpicking101.com/

Time for a change

ChangeThis site has been quite useful for me in many ways. I’ve used the posts in it for reference countless times to accomplish various tasks at work. I also have found it to be professionally useful in demonstrating knowledge and interest in subjects that are desirable to employers.

At the same time, I feel that posting only bits and pieces related to technical issues I have personally run into is rather limiting and I worry that it will cause this site to die a slow, boring, death. With that in mind, I will start posting more regularly with content covering a more diverse range of subjects. Yes, I will keep things mostly technical in nature but I will be branching out; posting information and links to news and technical resources on security, science, and other related topics.

I hope that this change will keep things lively and interesting here while maintaining the value that this site has provided.