I'm trying to find out if the Exchange 2007 Setup /PrepareAD modifies
mailbox security settings. Specifically, does it set an explicit "deny" to
In our environment (Exchange 2003 on Windows 2003), we have seven system
admins (with Domain Admin rights). Two of us have rights to all the
mailboxes (we're in a group that has full mailbox rights granted at the top
level). The other five are in a group that has an explicit "deny" on the
We're preparing for a Windows 2007 install and today I ran the "Setup
/PrepareAD" routine. Sometime later after running this, I needed to access
a user mailbox and Outlook told me that I the mailbox wasn't found and that
it couldn't open the folder.
I went into the rights for the mailboxes and it looks like the only group
that my account is in that is denied mailbox access rights is the "domain
admins" group. That group has an explicit deny on the mailboxes.
I created a test account, put it in the group that has mailbox access,
specifically did NOT put it in "domain admins", and I was able to access the
I don't recall what the setting for "domain admins" was prior to running
/prepareAD, but based on what I'm seeing, it appears that Setup set it to
Any information would be appreciated.