I can create the mailbox fine - no errors.
When I try to access the mailbox from OWA I get this message:
Access is denied.
The Active Directory resource couldn't be accessed. This may be because the Active Directory object doesn't exist or the object has become corrupted, or because you don't have the correct permissions.
If I wait a few hours, it works.
The mailbox was created locally on the Exchange server's database.
There are no replication issues between the child-domain (where the EX is) and the parent domain. But since the mailbox is local, why should it need the parent domain?
Any ideas what to look for?
Related
Why an external user with guest role cannot access an internal repo when it is granted to?
Objective
I have a problem giving permissions in gitlab. I want to have externals users with guest (role) permissions to download one internal project.
The gitlab documentation says the following:
Users with Guest role can download the project only if it is public or internal.
Externals users can only access projects to which they are explicitly granted access, thus hiding all other internal or private ones from them. Access can be granted by adding the user as member to the project or group.
Environment
I have the next configuration in gitlab:
One user created as external user named userexternal.
One internal project named internalproject.
The internalproject has userexternal as member with the guest role.
Expected behaviour
userexternal can download (clone, etc) the internalproject because he has access granted.
Actual behaviour
userexternal cannot download internalproject. The page returns a 403 error (forbidden access).
Cloning into 'internalproject'...
remote: You are not allowed to download code from this project.
fatal: unable to access 'https://userexternal:PASS#example.com/internalproject.git/': The requested URL returned error: 403
This may not apply directly to your situation, but we wanted to do something similar with a client. We created deploy keys with read only access to one project in our gitlab. Since the ssh keys are only associated to that project and not to a user, they can't touch anything else besides that repo. Mixed with the read only option, they can only pull and clone.
We wanted to keep this user separate from any other account so we created another user within our system with admin capabilities (only drawback), a random password that they won't be given, no ssh login keys, and we ticked the external user checkbox (yeah somehow you can be an external admin?).
Again, not ideal but a workaround... :(
Cheers
I have an app defined in Azure that has permission to read Exchange mailboxes. I use Azure to get an access code and then access token, and can successfully read messages from the current user's mailbox. The issue I have is when the current user has delegate rights to a mailbox, this same process results in a 403 Forbidden error rather than the data. If I open up Outlook I can see the delegate mailbox, it's only when trying to access it via the o365 APIs that it fails.
Once I have my access token I'm asking for the data from this endpoint: https://outlook.office.com/api/v1.0/users/mailboxupn#foo.com/messages. As I say, works fine for getting email from your mailbox, but not for a mailbox to which you have delegate rights. I've also confirmed that if I log in and get an access token as the owner of the mailbox that has the delegated rights, I'm able to successfully retrieve data.
I've seen a few questions on this (on Matthias' blog) but no answers. Is there a way to do this?
Thanks.
The Office 365 REST API doesn't support to get the messages as a delegate. You may consider using EWS instead.
Below link maybe helpful:
https://msdn.microsoft.com/EN-US/library/office/dn641963(v=exchg.150).aspx
Hope it is helpful.
I have a simple WMI query that runs fine locally, but querying a remote system gives an access denied error. When I add the local user to the remote system as member of the administrator group, the query works as expected, but I don't want to have that user as a member of that group.
I already tried the following things, unfortunately not successful so far:
I enabled RemoteAdmin for the firewall (netsh firewall set service RemoteAdmin enable)
I added the user with all possible access rights to the WMI Security settings (for the root name space, and I also checked that the settings are correctly propagated to the namespace I'm querying, root/cimv2) via wmimgmt.msc
I enabled remote access for the user in DCOM COM security
I still get the same error every time I run my query, is there anything else that I may have missed?
WMI rights are much tighter than typical, as the link provided by Uros describes in detail. In short, you will either need to enable the Active Directory right called "Trusted for Delegation", which is extremely powerful and not recommended, or add explicit credentials, as described in the MS link referenced by Uros.
I building a console app that runs under a normal user account to access sharepoint lists programmatically. In order to access Sharepoint objects the console application impersonates the user under the context of which the Sharepoint is running. The impersonation is successful but when I try to access any share point SPWeb objects the following error is given as follows
spWeb.ID = 'spWeb.ID' threw an exception of type 'System.Data.SqlClient.SqlException'
base {System.Data.Common.DbException} = {"Cannot open database \"WSS_Content_92\" requested by the login. The login failed.\r\nLogin failed for user 'DOM\USER'."}
Doesnt the imepersonation should have allowed to access to the underlying database and also do i need to explicitly grant access to the current user to give access to sharepoint lists etc.
Thanks in advance
In a console or windows app when accessing the object model - when you are impersonating the user then the database connection will be made under the users account credentials - so in effect you will have to give each of your users fairly high level permissions to access the database (or better make them a member of a group that has these permissions).
http://technet.microsoft.com/en-us/library/cc721638(office.12).aspx
This is different to the web app where the account used is the AppDomain account of the IIS site.
However - this is a very non-standard setup and is fraught with security risks - do you really want to give your users permission to access that database directly?
Instead can I suggest that you look again at your design - what are you trying to achieve?
Running the console application in the context of the same user as the application pool did the trick. So the solution would be to use the runas command.
I set up a new virtual directory in IIS under the Default FTP Site. I already have other virtual directories, and I'm able to access them with my user account, which is a domain admin. I created an account named FTPuser, gave it full permissions to the virtual directory, but I can't open the site. When I log in, I get a Success Audit event in Event Viewer, so my account is being authenticated. But the site doesn't appear, I just get the login box again.
I ran Process Monitor and saw different behavior between the two login scenarios. When I login to the same FTP site with my admin account, I get a SUCCESS result in Procmon when trying to access the folder that is specified as the home directory for my Default Web Site. But I get an ACCESS DENIED message when trying to connect as the FTPuser. Above that in the log, it also shows a NO SUCH DEVICE error trying to connect to the IPC$ share on that drive (the one containing the home directory).
When I look at the permissions, both accounts seem to have Full Control on the relevant directories. Can anyone point me in the right direction as to what is going on here?
Thanks.