Question

Locked

exchange locks out AD users

By jbaker ·
I have a random and reoccuring issue. Accounts get locked out. It's not a security threat issue. This started to happen (daily and seems like it's getting worse) as soon as I installed a new Exchange server (Exchange 2007 on Win2003). We are running an A/D environment. The issue is easy to correct (just unlock the user) but what is causing the lockout and how do I stop it.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

This might help you.....

Method 1
By default, Exchange System Manager does not display the Security tab when you view the properties of the Organizational object. To view the Security tab and then modify permissions, you have to edit the registry.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
1. To make the Security tab visible in Exchange System Manager, follow these steps:
a. Click Start, click Run, type regedit32.exe in the Open box, and then click OK to start Registry Editor.
b. Locate the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin
c. On the Edit menu, click Add Value, and then add the following registry value:
Value Name: ShowSecurityPage
Data Type: REG_DWORD
Radix: Binary
Data: 1
d. Quit Registry Editor.
2. Start Exchange System Manager, and then on the Security tab, modify permissions. To do this, follow these steps:
a. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
b. Expand ServerName, expand StorageGroupName, right-click Public Folder Store, and then click Properties.
c. Click the Security tab, and then in the Name box, click Everyone.
d. In the Permissions box, click to clear all Deny check boxes that are selected.
e. Click OK.
f. Right-click the public folder store, and then click Mount store.
?
Method 2
Use the Dsacls tool that is included in Windows Support Tools to determine how the permissions are configured, and then remove the assigned Deny permission. To do this, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command, and then press ENTER:
DSACLS "CN=Public Folders,CN=Folder Hierarchies,CN=Administrative_Group_Name,CN=Administrative Groups,CN=ORGANIZATION_Name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Root_DOMAIN" >c:\PfPerms.txt
Note In this command, replace CN=ORGANIZATION_Name with the name of the Exchange organization, replace Administrative_Group_Name with the name of the administrative group where the public folder tree is located, and replace Root_DOMAIN with your forest root domain (dc=microsoft,dc=com). Finally, replace C:\PerfPerms.txt with an appropriate name and location.
3. This command produces an output file that lists the accounts that have been set to Deny. You must open the C:\PfPerms.txt output file and determine whether the Everyone access control list (ACL) has been set to Deny. To do this, right-click the output file, click Open With, and then click WordPad.
4. Locate "DENY EVERYONE" in the text file.
5. After you locate the DENY EVERYONE permissions, follow these steps to remove them:
a. Click Start, click Run, type cmd, and then click OK.
b. Type the following command, and then press ENTER:
DSACLS "CN=Public Folders,CN=Folder Hierarchies,CN=Administrative_Group_Name,CN=Administrative Groups,CN=ORGANIZATION_Name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Root_DOMAIN" /I:T /R EVERYONE
http://support.microsoft.com/kb/823017


Please post back if you have any more problems or questions.
If this information is useful, please mark as helpful. Thanks.

Collapse -

no go

by jbaker In reply to This might help you.....

I think these instructions are for a different version. I'm running Exchange 2007 on a Win2003 server in A/D. I don't have these reg keys.

Also... how would this deny permission cuase random account locking? An account can be find one munite, and a few hours later it's locked.

Related Discussions

Related Forums