Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Only Domain Admins Can Use OWA/POP3?

Status
Not open for further replies.

Eldaria

Programmer
Sep 20, 2001
123
NL
I love this Forum...
So here is another question. :)

I'm having a trouble with only users who are Domain Admins or higer are able to log in to OWA, and to use the POP3 login.

I have already tried to alow the user to "log on localy" in the Policies. This was suggested from some other people i know.

It is kind of a security issues that a user need to have Domain admin to use OWA, since when I grant a user that kind of level, they are able to just change the username in the Internet explorer to open other peoples mailbox.(Not Good).

Regards.
Brian Levinsen
Eldaria

That was my 25cent** of opinion.

** Inclusive Intrest, tax on interest, Genral tax, Enviromental tax, Tax, and tax on intrest, tax on fees, tax on tax, and other Various taxes and fees.
 
Check the other users allowed protocols, is POP3 and HTTP in there? [sub]If the answer is here, mark it, others can benefit from it too. If 'something' 'somewhere' gives 'some' error, excpect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
[/sub]
 
If you mean the Protcol Settings in Exchange Advanced in the Users Domain Profile then yes, it is enabled.
Eldaria

That was my 25cent** of opinion.

** Inclusive Intrest, tax on interest, Genral tax, Enviromental tax, Tax, and tax on intrest, tax on fees, tax on tax, and other Various taxes and fees.
 
Are you restricting your users from logging onto only certain computers? If so, you'll have to add your Exchange server to that list.
 
There is only one Machine, it stays in a corner and plays Domain/Exchange/Router/Proxy/Web-server, for 5 local Users and about 4 external users.

So it is all configured local on one PC.
Eldaria

That was my 25cent** of opinion.

** Inclusive Intrest, tax on interest, Genral tax, Enviromental tax, Tax, and tax on intrest, tax on fees, tax on tax, and other Various taxes and fees.
 
Well, when a user attempts to access OWA, what exactly happens?
 
The password dialog reapears after user types their username and password, and after 3 attempts, they get Access Denied.....

Eldaria

That was my 25cent** of opinion.

** Inclusive Intrest, tax on interest, Genral tax, Enviromental tax, Tax, and tax on intrest, tax on fees, tax on tax, and other Various taxes and fees.
 
Ok, that is usually an issue of either wrong username, password, or domain.

Setup a test case...have a user that's just a normal domain user attempt to access OWA, then change their user account to an admin and try again. What are the results?
 
They get in....
I have tried it my self,I created a test account brand new using deafult settings, that had user levevel access. I then tried to log in. No access.
I changed the user up to Domain admin, And got in on first attempt.

It has to be a security setting somewhere, Because It is no matter from where the user tries to login with OWA, if it is from the interenet or from a PC that are a member of the same domain as the Exchange server, same error.

Even if the user fills in all the fields, UserName/Password, And Domain, he/she can not get in.
Eldaria

That was my 25cent** of opinion.

** Inclusive Intrest, tax on interest, Genral tax, Enviromental tax, Tax, and tax on intrest, tax on fees, tax on tax, and other Various taxes and fees.
 
I have the EXACT same problem and have pulled out my hair on this (MicroSoft Bald) It seems like such an obvious and easy to repair issue but as yet, despite 2^N setting changes (N>1000) No luck. We had a NT 4 domain before w/ Exch 5.5 which was disabled before we went win2k. Our domain for AD is my-company.com while the default policy and allusers have mycompany.us addresses. We are trying to have users access via 443 on ssl and have UDP & TCP on that as well as 110 and 25 redirected to the server. When port 80 (for non ssl access) is opened the results are the same. OWA works very well for domain admins only. A bottle of scotch to the one who solves this. I have tried everything here among others:


and though they seem to be on topic, no help to me. Pls post if they helped you
 
Do these users have the "Log on Locally" security right for the server? Are they in a group that does? They must have this right on the exchange server in order to use OWA. If they do not have it, they will continue to be prompted for credentials.
 
I have tried to add the user to the Log on Localy in both Domain controller security policy and to the Domain Security Policy.
With no effect user is still not able to log in to webmail or POP3.
msbald: Do you also run the Domain and mail server on the same computer? I think this must be the reason.
Oh and a word of warning, if you are currently giving users Admin rights, you should know that they have access to all other users mail boxes also inlcuding the Administrator mail box, just by changing the path in the browser....



Eldaria

That was my 25cent** of opinion.

** Inclusive Intrest, tax on interest, Genral tax, Enviromental tax, Tax, and tax on intrest, tax on fees, tax on tax, and other Various taxes and fees.
 
Travis, Yes the users had "log on locally" right to the server. Still only domain admins could access

Eldaria, I have 5 servers, 3 are domain controllers the exch server also host Norton Corp. My understanding was that a special group had to be created ( Admins domain admins, and enterprise admins are explicitly denied access to mailbox folders so, while I didnt check, I dont think the temp admins had access and the ignorance barrier provided plenty of security. I DO HAVE GOOD NEWS I posted a solution I invented (didn't find it anywhere) on another thread here:

It worked for me. If there are glaring security problems w/ this I do not see them immediately but pls let me know. Also, if you know the locations of files/folders requested in the solution pls let me know so I can reverse engineer the folder traverse problem.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top