Recently one of my customers installed Outlook 2007 on a few client workstations. They run Exchange Server 2003 SP2. When operating in on-line (as opposed to cached mode) the Outlook 2007 profile loaded but none of the mailbox folders could be displayed, although they can see the item counts in the left hand pane. They following message was displayed:
If they enabled cached mode the cache was populated and they could see their messages normally. However they couldn’t schedule meeting requests and received NDRs with text similar to the following:
Also in cached mode, if the users tried to create a new appointment in the Calendar the item disappeared after a few seconds (presumably when the cache synchronised with the server).
I spent some time troubleshooting this, but there was nothing obviously wrong with the environment. The same users had no similar problems running Outlook 2003 on their workstations, so the problem appeared to be specific to Outlook 2007. I opened an incident with Microsoft PSS and after several weeks of trial and error, the PSS engineer hit on the answer. It had to do with the permissions on the Exchange Organization object in Active Directory. At some point in the past somebody had removed the default permissions assigned to the Everyone group.
The default permissions assigned to the Everyone group are shown in the table below. Note that I got this from a dump of the ACL using the Acldiag tool from the Windows Server 2003 Support Tools. I prefer this to using the Security -> Advanced tab in ADSIEdit because the UI doesn’t always display all of the access control entries.
One thing to note here is that the List object permission does not appear by default when viewing the ACLs using standard UI tools (e.g. ADSIEdit, Active Directory Users and Computers). If you want to use the UI tools to set this permission you first need to enable List object mode, as described in the link below:
As soon as I restored the permissions to the Everyone group the problems experienced with the Outlook 2007 clients disappeared.
I mentioned above that I used Aclidiag.exe to dump the ACL. Other alternatives are Dsacls.exe also from the Windows Server 2003 Support Tools, as well as Exchdump.exe.
The output is provided as two separate files, one XML and other HTM. The HTM output is shown below.
ExchDump Version: 6.5.7202.0
ExchDump Mode: Local
->Click for General Information
Local Environment
COMPUTERNAME: DCN1
USERDNSDOMAIN: NORTH.COM
USERNAME: administrator
LOGONSERVER: \\DCN1
NUMBER_OF_PROCESSORS: 1
Windows version
Product Name: Microsoft Windows Server 2003
Build Number: 3790
Service Pack 1
Windows HotFixes applied
KB890046
KB893756
KB896358
KB896422
KB896424
KB896428
KB898715
KB899587
KB899588
KB899589
KB899591
KB900725
KB901017
KB901214
KB902400
KB904706
KB905414
KB905915
KB910437
Q147222
ServicePackUninstall
Exchange version
Major Version: 6944
Service Pack Build Number: 7638
Exchange Service Logon Accounts
Microsoft Exchange Information Store: LocalSystem
Microsoft Exchange System Attendant: LocalSystem
--------------------------------------------------------------------------------
Object: CN=NORTH,CN=MICROSOFT EXCHANGE,CN=SERVICES,CN=CONFIGURATION,DC=NORTH,DC=COM
--------------------------------------------------------------------------------
CN=NORTH (LDAP://CN=NORTH,CN=MICROSOFT EXCHANGE,CN=SERVICES,CN=CONFIGURATION,DC=NORTH,DC=COM)
Class: msExchOrganizationContainer
Schema: LDAP://schema/msExchOrganizationContainer
cn : "NORTH"
legacyExchangeDN : "/o=NORTH"
whenChanged : Wednesday, 01/24/2007 01:11:51 (GMT)
->Click for more details...
cn : "NORTH"
instanceType : 4
nTSecurityDescriptor : ACL dumped seperately
objectCategory : "CN=ms-Exch-Organization-Container,CN=Schema,CN=Configuration,DC=north,DC=com"
objectClass : (ARRAY)
"top"
"container"
"msExchOrganizationContainer"
adminDisplayName : "NORTH"
distinguishedName : "CN=NORTH,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=north,DC=com"
legacyExchangeDN : "/o=NORTH"
msExchAdminGroupsEnabled : FALSE
msExchAdmins : "S-1-5-21-2693098143-1269406413-4063274187-1127,10"
msExchMimeTypes : (Binary blob)
74 65 78 74 2f 68 74 6d 6c 3b 68 74 6d 00 74 65 text/html;htm.te
78 74 2f 68 74 6d 6c 3b 68 74 6d 6c 00 74 65 78 xt/html;html.tex
74 2f 70 6c 61 69 6e 3b 74 78 74 00 74 65 78 74 t/plain;txt.text
2f 63 73 73 3b 63 73 73 00 74 65 78 74 2f 69 75 /css;css.text/iu
6c 73 3b 75 6c 73 00 74 65 78 74 2f 73 63 72 69 ls;uls.text/scri
70 74 6c 65 74 3b 77 73 63 00 74 65 78 74 2f 77 ptlet;wsc.text/w
65 62 76 69 65 77 68 74 6d 6c 3b 68 74 74 00 74 ebviewhtml;htt.t
65 78 74 2f 78 2d 63 6f 6d 70 6f 6e 65 6e 74 3b ext/x-component;
68 74 63 00 74 65 78 74 2f 78 2d 76 63 61 72 64 htc.text/x-vcard
3b 76 63 66 00 74 65 78 74 2f 78 6d 6c 3b 78 6d ;vcf.text/xml;xm
6c 00 69 6d 61 67 65 2f 67 69 66 3b 67 69 66 00 l.image/gif;gif.
69 6d 61 67 65 2f 6a 70 65 67 3b 6a 70 67 00 69 image/jpeg;jpg.i
6d 61 67 65 2f 78 2d 78 62 69 74 6d 61 70 3b 78 mage/x-xbitmap;x
62 6d 00 69 6d 61 67 65 2f 62 6d 70 3b 62 6d 70 bm.image/bmp;bmp
00 69 6d 61 67 65 2f 70 6a 70 65 67 3b 6a 70 67 .image/pjpeg;jpg
00 69 6d 61 67 65 2f 70 6e 67 3b 70 6e 67 00 .image/png;png.
msExchMixedMode : FALSE
msExchRoutingEnabled : FALSE
name : "NORTH"
objectGUID : {03ee92d3-d4dc-4bac-bb28-22e08327a56d}
objectVersion : 6903
showInAdvancedViewOnly : TRUE
systemFlags : 1073741824
uSNChanged : 123749
uSNCreated : 101761
whenChanged : Wednesday, 01/24/2007 01:11:51 (GMT)
whenCreated : Saturday, 09/23/2006 03:21:32 (GMT)
->Click for Permissions on object...
ACL Inheritance: Inheritance allowed,
-NORTH\Domain Admins: (ACCESS_DENIED_OBJECT)(Child objects can inherit this access-control entry),
Send As (Extended Right)
-NORTH\Enterprise Admins: (ACCESS_DENIED_OBJECT)(Child objects can inherit this access-control entry),
Send As
-NORTH\bobc: (ACCESS_DENIED_OBJECT)(Child objects can inherit this access-control entry),
Send As
-NORTH\Domain Admins: (ACCESS_DENIED_OBJECT)(Child objects can inherit this access-control entry),
Receive As (Extended Right)
-NORTH\Enterprise Admins: (ACCESS_DENIED_OBJECT)(Child objects can inherit this access-control entry),
Receive As
-NORTH\bobc: (ACCESS_DENIED_OBJECT)(Child objects can inherit this access-control entry),
Receive As
-NORTH\Exchange Domain Servers: (ACCESS_ALLOWED_OBJECT)(Child objects can inherit this access-control entry),
WRITE_PROP: Public Information (Extended Right)
-NORTH\Exchange Domain Servers: (ACCESS_ALLOWED_OBJECT)(Child objects can inherit this access-control entry),
WRITE_PROP: Personal Information (Extended Right)
-NORTH\Exchange Domain Servers: (ACCESS_ALLOWED_OBJECT)(Child objects can inherit this access-control entry), (ACE only affects objects of type: ms-Exch-Site-Addressing )
Read Permissions,
Write Permissions,
Take Ownership
CREATE_CHILD: ALL,
DELETE_CHILD: ALL,
List Children,
DS_SELF,
READ_PROP: ALL,
WRITE_PROP: ALL,
DELETE_TREE,
LIST_OBJECT,
CONTROL_ACCESS: ALL,
InheritedObjectType: ms-Exch-Site-Addressing
-Everyone: (ACCESS_ALLOWED_OBJECT)(Child objects can inherit this access-control entry),
Create named properties in the information store (Extended Right)
-NT AUTHORITY\ANONYMOUS LOGON: (ACCESS_ALLOWED_OBJECT)(Child objects can inherit this access-control entry),
Create named properties in the information store
-Everyone: (ACCESS_ALLOWED_OBJECT)(Child objects can inherit this access-control entry),
Create public folder (Extended Right)
-NT AUTHORITY\ANONYMOUS LOGON: (ACCESS_ALLOWED_OBJECT)(Child objects can inherit this access-control entry),
Create public folder
-Everyone: (ACCESS_ALLOWED_OBJECT)(Child objects can inherit this access-control entry), (ACE only affects objects of type: ms-Exch-Public-MDB )
Read Permissions,
List Children,
READ_PROP: ALL,
LIST_OBJECT,
InheritedObjectType: ms-Exch-Public-MDB
-NT AUTHORITY\ANONYMOUS LOGON: (ACCESS_ALLOWED_OBJECT)(Child objects can inherit this access-control entry), (ACE only affects objects of type: ms-Exch-Public-MDB)
Read Permissions,
List Children,
READ_PROP: ALL,
LIST_OBJECT,
InheritedObjectType: ms-Exch-Public-MDB
-Everyone: (ACCESS_ALLOWED_OBJECT)(Child objects can inherit this access-control entry), (ACE only affects objects of type: ms-Exch-Private-MDB )
Read Permissions,
List Children,
READ_PROP: ALL,
LIST_OBJECT,
InheritedObjectType: ms-Exch-Private-MDB
-NT AUTHORITY\ANONYMOUS LOGON: (ACCESS_ALLOWED_OBJECT)(Child objects can inherit this access-control entry), (ACE only affects objects of type: ms-Exch-Private-MDB)
Read Permissions,
List Children,
READ_PROP: ALL,
LIST_OBJECT,
InheritedObjectType: ms-Exch-Private-MDB
-NORTH\Exchange Domain Servers: (ACCESS_ALLOWED)(Child objects can inherit this access-control entry),
CREATE_CHILD: ALL,
CONTROL_ACCESS: ALL,
-NT AUTHORITY\Authenticated Users: (ACCESS_ALLOWED)
READ_PROP: ALL,
LIST_OBJECT,
-NORTH\Exchange Domain Servers: (ACCESS_ALLOWED)(Child objects can inherit this access-control entry), (Inherited ACE),
Read Permissions,
List Children,
READ_PROP: ALL,
-NORTH\bobc: (ACCESS_ALLOWED)(Child objects can inherit this access-control entry), (Inherited ACE),
Read Permissions,
Write Permissions,
Take Ownership
CREATE_CHILD: ALL,
DELETE_CHILD: ALL,
List Children,
DS_SELF,
READ_PROP: ALL,
WRITE_PROP: ALL,
DELETE_TREE,
LIST_OBJECT,
CONTROL_ACCESS: ALL,
-NORTH\Enterprise Admins: (ACCESS_ALLOWED)(Child objects can inherit this access-control entry), (Inherited ACE),
Read Permissions,
Write Permissions,
Take Ownership
CREATE_CHILD: ALL,
DELETE_CHILD: ALL,
List Children,
DS_SELF,
READ_PROP: ALL,
WRITE_PROP: ALL,
DELETE_TREE,
LIST_OBJECT,
CONTROL_ACCESS: ALL,
-NORTH\Domain Admins: (ACCESS_ALLOWED)(Child objects can inherit this access-control entry), (Inherited ACE),
Read Permissions,
Write Permissions,
Take Ownership
CREATE_CHILD: ALL,
List Children,
DS_SELF,
READ_PROP: ALL,
WRITE_PROP: ALL,
LIST_OBJECT,
CONTROL_ACCESS: ALL,
--------------------------------------------------------------------------------
Report Summary
--------------------------------------------------------------------------------
Total number of Objects dumped: 1
Total time spent generating report: 00 hours: 00 minutes: 01 seconds.