Exchange Admin Console – Migration Issue with Administrator Account

After a bit of wrangling, it has become apparent that I had forgotten one of the changes made with Exchange 2007. Since Exchange 2007 the permissions model for administrators and regular users became split. Only non-admin accounts allowed inheritable permissions to propagate, while admin accounts did not. This has caused people issues with OWA (OWA 2007), BlackBerry devices and ActiveSync devices. However, this same feature has now reared it’s head a bit differently in Exchange 2013.

With the release of SP3 for Exchange 2010, migrations of users from 2010 to 2013 are coming closer to fruition. While this will be good for corporation who need the new features in Exchange 2013, it will cause headaches for administrators moving to the new Exchange Administration Console (EAC). Remember that the new console (EAC) is all web based, just like the Exchange Control Panel (ECP) was in Exchange 2010.

This brings us to the issue for logging into the EAC. If you have an administrator account that had previously been used to log into OWA or ECP you will notice a strange behavior after you migrate your mailbox to Exchange 2013. After the mailbox has moved to Exchange 2013 and you try to log into the EAC you will notice that instead of the new Exchange 2013 interface, you will see the old ECP interface. What? How is that possible? The EAC login screen is the new Exchange 2013 login screen. If you log into OWA for Exchange 2013 with this administrator account you will find the old Exchange 2010 interface loads up.

How to fix this?
Inheritable permissions. The same change that made ActiveSync, OWA and BlackBerry work in previous versions of Exchange works for the EAC as well. Open up AD Users and Computersm (don’t forget the Advanced checkbox!) find the account in one of those special groups, click on the Security tab, click on ‘Advanced’ and click on the (depending on the OS):

Windows 2012

EAC-Issue-01

Windows 2008

EAC-Issue-02

Once this is checked, you should be able to log into the Exchange 2013 EAC without any further issues.


UPDATE
It seem the permissions are applied approximately 1-2 hours later. I’ve only testes OWA and the EAC so far. Will do further testing by tomorrow.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s