April 2010 - Posts

The TrustedInstaller - Isn't.

Generally, when applying patches (whether service packs or hotfixes or rollups), the installation process will automatically acquire all the necessary permissions - if the user executing the process CAN acquire those permissions. This is especially relevant under Server 2008 and Server 2008 R2, where an interactive logged in user has their access token artificially limited, even if UAC is disabled.

However, the Exchange 2010 update installer either drops administrative permissions too early or never acquires all of the permissions that are necessary. When applying update rollups, binaries are updated just fine - but OWA source files are not.

This commonly leads to a patch application that appears successful - but it isn't. When testing OWA after an update-rollup appliction, a common error is "syntax error in flogon.js at 1, 1." This is an indication that the patch was NOT installed with administrative permissions.

Reapply the patch with administrative permissions.

Note: I have heard reports that this begins to affect Exchange 2007 AFTER the application of service pack 2, when Exchange 2007 is installed on Windows Server 2008.

This has (at this writing) been seen to affect Exchange 2010 UR1, UR2, and UR3.

To properly ensure that an application of an update-rollup has adequate permissions, do one of the following:

  • Right-click on the patch (filename.msp) and click on "Run as Administrator"
  • Open an elevated command prompt and then start the patch (just enter filename.msp). To open an elevated command prompt, click Start, then enter "cmd" into the search area, right click on the cmd.exe that appears in the results area and click on "Run as Administrator".
  • Open an elevated PowerShell session and then invoke the patch (enter "ii filename.msp"). The open an elevated PowerShell session, click Start, then enter "PowerShell" into the search area, right click on the "Windows PowerShell" that appears in the results area and click on "Run as Administrator".

Until next time...

If there are things you would like to see written about, please let me know.

Incoming e-mail CAN'T come in!

This issue is not exclusive to Exchange 2010 - it also exists in Exchange 2007.

The default receive connector created by the Exchange setup process does not include permissions to include "Anonymous users" on the default server permission group. Microsoft assumes that you will be using their Edge Server product (which isn't Anonymous, but Authenticated).

Of course, most people (? - at least my customers!) will not be using the Microsft Edge Server product, but some other gateway e-mail product.

Therefore, you will need to set the "Anonymous users" permission on the default server permission group.

Otherwise - incoming Internet e-mail will bounce!

Until next time...

If there are things you would like to see written about, please let me know.

[Edit on April 15, 2010 to spell "Authenticated" correctly.]

In last week's blog post, Exchange 2010 Gotcha  - #1, I use the Add-AdPermission PowerShell cmdlet to add a set of permissions to each mailbox database. One of those permissions was the ms-Exch-Store-Admin permission.

If you've ever installed any BlackBerry software before, or ever installed Cisco's Unity line of products before, you've seen this permission mentioned. This permission was introduced in Exchange 2000 and provides the capability of "administering an information store". That's a pretty non-specific permission, but that's really all the available Microsoft documentation says about it. See, for example, here.

It's worthwhile to note that, by itself, this permission does little. But when combined with the View-Only Organization Management permission (for example) and the Send-As permission, it allows a grantee the capability of doing a Send-As for any user within an information store for which they have that right - without knowing the password of the user who owns the mailbox. When combined with the Modify Permission permission, it allows the grantee to change Full Control assignments for a given mailbox, etc. When combined with the Server Administrator permission, it allows the grantee the capability of mounting and dismounting databases, moving mailboxes, etc.

That is, the ms-Exch-Store-Admin permission has some pretty hefty powers and should not be granted lightly.

Unfortunately, there is no available public documentation that fully defines this permission and/or what capabilities it may allow. Suffice it to say that you should carefully consider whether granting this permission is an appropriate choice for any arbitrary user account or group. The answer is "probably not".

Thanks to Ross Smith, IV and Bill Long for answering a question of mine that led to this post.

Until next time...

If there are things you would like to see written about, please let me know.

Posted by michael | 1 comment(s)
Filed under: ,