Shared Mailbox Rights Not Propagating

  • Thread starter tinaschifano
  • Start date Views 649
Status
Not open for further replies.
T

tinaschifano



Can somebody explain the rights flow to me please? What is happening is that we have shared mailboxes that are permissioned via administrative groups in Active Directory as well as within the mailbox.

So, the mailbox is up and running fine. We create an AD group and add members to the group. Then, we manage Full Access permissions to the shared mailbox and add the group. We only have 2 domain controllers that replicate every 15 minutes. What I have seen happen is that I add somebody to the group, and they logout and back in 3 or 4 times and even reboot their Windows XP workstation, and they are unable to access the shared mailbox. I usually ask them to wait until the next day, and then they have access.

I have users that will grant access to the Inbox from within the shared mailbox, and the rights might not be available until the next day for the user. Even if they logout and back in a few times.

We are not having any active directory issues. I have run dsdiag and everything is fine. Can you guys help me understand rights flow and why it is so slow and let me know if there are any good troubleshooting tools?

When we grant permissions to shared dfs folders, rights are quick. The only problem that we are having is with Exchange mailbox rights taking a while to trickle down.

We have a CCR environment with 2 servers and one CAS server. All users are located in the same building. Our data center is located in a different building.

Thanks!

 
S

Sembee [MVP]



Exchange caches permissions.

Therefore a change can take a while to be fully effective. The usual rule of thumb is two hours.

If a user attempts to connect to a mailbox before the change has fully replicated, then the previous permission is cached.

The only way to force the cache to clear is to restart the information store, with the obvious consequence of kicking everyone out.

While it is possible to reduce the cache time, it isn't recommended as it can have a significant impact on the performance of the server and increase the load on the domain controller as Exchange is reading the permissions more frequently.

NTFS permissions are different, and cannot compare to Exchange permissions.

Simon.

Simon Butler, Exchange MVP http://blog.sembee.co.uk
 
Status
Not open for further replies.
Top