The feature of delegation access to lots of logical administrators provides a greater risk of causing problems with your configuration if there is no ITIL-Process available for any change request and the user with Exchange administrative rights does not have enough knowledge on the rights management provided by Exchange. One “Deny” setting and it may be possible that you will not be able to administer your Exchange Server environment anymore.
Within this article we will provide a way on how to regain access to an unmanageable Exchange Server 2003 environment where none of the Exchange Server 2003 full administrators will have any access anymore due to a false administrative setting that denies every right to that group.
The Problem
If you do not have any access to your Exchange Server 2003 Messaging Environment, you do not have any trouble running your servers but administering them. Exchange itself will work properly but you as the administrator are unable to access Exchange System Manager and therefore will not be able to change anything.
Figure 1: Error Message when opening ESM without any rights on the Organization
If you try to administer the Exchange Server Organization using ADSIEdit from Windows Server 2003 Resource Kit, you will see the following.
Figure 2: Error Message when opening ADSIEdit without any rights on the Organization
As you can see above, there is no organization available, but as you know there is one because your current users do not have any problems.
The Solution
Because your server is running properly, the only problem that might exist is that the only “account” that still has access to the organization must be the “Local System” account. This means that the only thing that could solve your problem will be choosing a way to act as “Local System”.
There is a way to make this work: you will have to use the AT command to open a command line window running under “Local System” privileges.
Figure 3: Acting as Local System using AT.EXE
As setting for <time> you should use a time that adds two or three minutes to your current time setting. This will open a new window at the specified time providing you the appropriate privileges of “Local System”.
Now you can properly open your Exchange System Manager console using the command line or Start menu if you see it there.
If you now have a look at it, you will see the following while editing the permissions of your Exchange Server Organization.
This will show you that there still is a wonderful working Exchange Server Organization available. The next steps are to now configure a user that has administrative rights on your Exchange Organization. This can be done quite easily by adding this new user to the ACL and adding him directly to the Enterprise Administrators and Schema Administrator groups.
Then you will have to logon properly using this new user.
The last step to regain access to your organization will now be to reconfigure the Exchange organizational rights to match the default ones that are shown below.
Figure 4: Re-Configuring the appropriate rights on your Organization
Further Steps
After now having full access to your Exchange Server Organization, there might be some problems with your Exchange System Attendant just starting and then stopping after 10 seconds.
This problem could be solved by running “setup.exe /forestprep” and “setup.exe /domainprep” from your Exchange Server 2003 compact disk.
A final reboot will now make things work properly.
Conclusion
In general, the problem described in this article should never occur, because hopefully every Exchange Server Administrator should have appropriate knowledge on how to correctly administer his Exchange Server Environment. But in some situations, especially when the Exchange Administrator does not really know what to do when configuring a certain topic in Exchange this problem might occur. As you can see in this drill-down, there is a smart way to solve your problems and successfully regain all access to your Exchange Server 2003 messaging environment. For sure it is quite tricky and not easy to think of but this method has to be known by every good Exchange Server 2003 Administrator and especially every good consultant should think of this method for solving his problems in the future.
If there are still further questions, please do not hesitate to contact me.
