Symptoms
Consider the following scenario:
-
You create a linked mailbox (MB1) on a Microsoft Exchange Server 2010 mailbox server in an Active Directory forest (forest A).
-
MB1 is associated with a disabled account user A in the forest A.
-
MB1 is linked to a linked master account user B in the trust forest B.
-
User A is a member of the domain local group.
-
You assign Full Access permission for another linked mailbox (MB2) in forest A to user B.
-
User B tries to access MB2 by using Microsoft Office Outlook.
In this scenario, user B can access MB2 as an additional mailbox. However, user B cannot use a new profile to access MB2 as a primary mailbox. Additionally, the credential window pops up when user B types in credentials.
Cause
This issue occurs because the Authz API that the Client Access server uses performs an access check on the domain local group account in an incorrect way.
Resolution
To resolve this issue, install the following update rollup:
2645995 Description of Update Rollup 1 for Exchange Server 2010 Service Pack 2
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More Information
For more information about how to create a linked mailbox, visit the following Microsoft website:
General information about how to create a linked mailboxFor more information about domain local group, visit the following Microsoft website:
General information about domain local groupFor more information about how to create a new email message profile, visit the following Microsoft website:
General information about how to create a new email message profileFor more information about how to use Authz API, visit the following Microsoft website:
General information about how to use Authz APIFor more information about how to deploy Exchange Server 2010 in an Exchange resource forest topology, visit the following Microsoft website:
General information about how to deploy Exchange Server 2010 in an Exchange resource forest topology