3

I have an old Windows 2003 Server running Exchange 2003. A few weeks ago, I noticed that somehow some users lose privileges.

Examples:

  • I allow a certain user to read the mail boxes of another user. As a result of that a third user loses that privilege.
  • After a reboot almost everytime one user loses some privilege. They are mostly related to Exchange, because that's were we notice it immediately, but also local server privileges are lost. (See next item)
  • Logging on as "Administrator" I cannot run the "Software" applet from the control panel. I have to use "Run As" to run it. Then I choose the "Administrator" account (no mistake!) and it works.

My question:

  • What could produce such problems? Is this a single problems or is it likely that there is more than one problem producing similar symptoms?
Daniel Rikowski
  • 748
  • 4
  • 10
  • 19
  • What do the Event Logs show? – JS. Jul 17 '09 at 09:59
  • There are some DNS problems and the virus scanner sometimes has problems starting one of its services but other than that nothing out of the ordinary (As far as I can tell) – Daniel Rikowski Jul 17 '09 at 11:33
  • Are there any other administrators that might be influencing this behaviour, or have you delegated and management of AD rights to other users? The 'run as' administrator bit sounds very strange - is the system exposed to the internet? If so, is it fully patched, running current AV software? Have you noticed anything else unusual about the system? Do you notice any strange connections to the system in the output of the command `netstat -ano`? – Bryan Dec 21 '11 at 23:20

2 Answers2

1

Sounds like Active Directory issues, and as Exchange 2003 is tightly integrated with AD that is what I would be looking at.

Check the DC health using DCDIAG

How many DCs are in the network, are there replication problems between them at all (if multiple)? What is hardware health like? It certainly sounds weird which may indicate something corrupt somewhere.

Phlosten
  • 31
  • 1
1

Most likely there is an issue with AD consistency.

You should run repadmin /replsummary and repadmin /showrepl on each of the DCs to check that replication is occurring. If it is not, use the /replicate option to that same command to force replication; if it does not work, solve the issue that is preventing it.

Most likely these problems are DNS related.

It's also possible that you have data corruption on one DC. The easiest way to fix that is to find the DC which has different data for affected users than other DCs, demote it, and make a new one.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92