Ontrack (formerly Kroll) PowerControls Mailbox Permissions
What is causing rights issues copying mailboxes in PowerControls?
All versions of PowerControls for Exchange.
Symptoms / Description
Inability to live connect to a mailbox and/or MAPI_E_FAILONEPROVIDER. When using Connect to all mailboxes on a server option PowerControls reports Connection to Mailbox mailbox name Failed. Mailboxes show red circle with a white line in interface.
Option 1 (recommended) Create a Domain User with the correct permissions to write to mailboxes that is not a domain admin.
Any member of the Exchange Domain Servers group has the Full Mailbox Access permission set to “Allow”. Domain Admins however have explicit "Deny" except to their own personal mailbox. To work around this, simply create a new user member account belonging to the Exchange Domain Servers group, specifically for the purpose of running PowerControls that is NOT a domain admin. This user will also need to be a local admin with logon rights to the workstation where Ontrack is deployed. You must be logged in as that user, and must launch Ontrack by right clicking it's icon and running as admin. This will allow your new Ontrack Exchange user to restore email from a database backup to any live running user.
Option 2 Export the needed data to a PST file and provide it to the end user or load it via their logged in session.
If you are unable to create the required user permissions for a new user as described in option 1, simply leverage Ontrack for Exchange to export the needed recovery data to PST format. Provide this PST to the end user with instructions to mount it, or, directly assist the user through their logged in session to do so.
Option 3 Assign the domain admin read/write permissions to other users mailboxes in exchange
It is possible inside Exchange to manually enable permissions for other users to access mailboxes explicitly, though it should be advised doing so may be considered a severe security and/or privacy violation in most environments. Use this option with caution, as it effectively grants an admin the ability to access another user's inbox bypassing security protections normally in place and potentially with limited or no auditing and could be a violation of security or privacy laws in your nation.
Because of the nature of these commands, if you are unable to use option 1 or 2 above, contact Unitrends Support who will discuss with you the nature of these commands. Unitrends Support however will not provide direct assistance in running them or perform these modifications in your exchange environment, and recommends against this option.
To write to a Mailbox, Ontrack requires Outlook MAPI connectivity to compatible versions of Exchange and require write permissions to the user mailbox. Though commonly assumed that Domain Admins have this right, in fact they are explicitly denied this right to all mailboxes other than their own.