How-To Guide: How to set up Exchange account for SRM data collection

Document ID : KB000055765
Last Modified Date : 14/02/2018
Show Technical Document Details

Setting the right security for an account to do data collection from Exchange can be very tricky. The basic ideas and complications are:

  • Admin and Domain Admin accounts are denied access to all mailboxes except for own mailbox

  • Non-Admin accounts have very limited access to mailboxes.

  • Additional, non-admin accounts can not read some of the local files that might be needed during collection.

  • If you "delegate control" to the account, it automatically strips it of the rights to read other mailboxes.

There're different ways to get around this.

(A) Approach # 1

  • Create a normal non-admin user

  • Add account to the Exchange Servers group.

  • Give rights to log on locally.

(B) Approach # 2

  • Create an Administrator Account or use existing account

  • Give rights to log on locally if it does not have that.

  • In the Exchange System Manager, select the database you want to have full mailbox access to and get to the right click->Properties->Security tag. Then grant your account full explicit permissions on the object, including Receive As and Send As permissions.

(After you have made this change, you may still see unavailable Deny and Allow permissions assigned to your account. The unavailable permissions indicate that by inheritance you have been denied permission, but that you have inherited permissions at this level. In the Windows permissions model, explicitly granted permissions override inherited permissions. (Note: An explicit Allow at a lower level permission overrides an explicit Deny from a higher level permission only on the single object where the override is set, not on that object's child objects. This prevents you from granting yourself permissions on a server to gain access to each database; you must grant permissions on databases individually.)

Reference

Below you will find above mentioned approaches and other viable approaches that might work as well. It all depends how tight you want the security to be in the enterprise.

http://support.microsoft.com/default.aspx?scid=kb;en-us;821897

http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm

http://support.microsoft.com/?kbid=262054

Info you might find in debug traces

Thread: 2716 -Entering: CExMailboxCollector::CollectPrivateFolders
Thread: 2716 -### Collecting Private Folders No. 4 of tester
Thread: 2716 -XML Query Folder failed with error COM Exception 80040e09 at LocalQueryFolder for /MBX/tester.
Thread: 2716 -Exiting : CExMailboxCollector::CollectPrivateFolders