Exchange Server - Does Ex07 setup/prepareAD set an explicit "deny" for mailbox access to "Domain Admins"?

Asked By Mike O on 19-Feb-08 10:15 PM

I'm trying to find out if the Exchange 2007 Setup /PrepareAD modifies
mailbox security settings.  Specifically, does it set an explicit "deny" to

In our environment (Exchange 2003 on Windows 2003), we have seven system
admins (with Domain Admin rights).  Two of us have rights to all the
mailboxes (we're in a group that has full mailbox rights granted at the top
level).   The other five are in a group that has an explicit "deny" on the

We're preparing for a Windows 2007 install and today I ran the "Setup
/PrepareAD" routine.   Sometime later after running this, I needed to access
a user mailbox and Outlook told me that I the mailbox wasn't found and that
it couldn't open the folder.

I went into the rights for the mailboxes and it looks like the only group
that my account is in that is denied mailbox access rights is the "domain
admins" group.  That group has an explicit deny on the mailboxes.

I created a test account, put it in the group that has mailbox access,
specifically did NOT put it in "domain admins", and I was able to access the
mailbox.

I don't recall what the setting for "domain admins" was prior to running
/prepareAD, but based on what I'm seeing, it appears that Setup set it to

Any information would be appreciated.

Mike O.

Mike O replied on 19-Feb-08 11:01 PM

Please disregard this thread.  I found the answers after I posted.   I had
done some searching prior to posting, but it was somewhat quick, and
apparently I didn't search on the correct combination of keywords.

I found a couple of technet articles that listed all the various permissions
that Setup adjusts, and some other ones that said the specific "deny" was
set for the "domain admins" group.

Access over 40 UI widgets with everything from interactive menus to rich charts.