Some users may report that they are not able to access OWA after their mailbox has been moved to the Exchange Server 2007 server.

Check the properties of the account in Active Directory Users & Computers and verify that in the Security tab the account is configured to inherit permissions.  If the tick box is cleared you should tick it and apply the change.


On a larger scale this can be quite problematic.  If you find you need to apply this change to a lot of user accounts you can do it with a few quick command lines.

First use DSQuery to dump out a list of user accounts in an OU into an text file.

C:\>dsquery user ou=network users,dc=test,dc=local -scope subtree -limit 0 >users.txt

Using -scope subtree means DSQuery will enumerate the user accounts for all sub-OUs as well.  Using –limit 0 ensures that the results will not be cut off by the default limit of 100.

You can now use a For loop to process each user account with DSACLs.

C:\>for /F "delims=" %i in (users.txt) do (dsacls %i /P:N)

Be sure to set “delims=” as shown so that the spaces in the distinguished names of the users don’t get treated as delimiters.

It can be tempting to dump out the user list of the entire domain and apply this fix, but before you go down that path make sure you read and understand this article published by Microsoft.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


Leave a Reply