Monday, April 28, 2014

Changing Mailbox Permissions in Exchange Not Working

Over the years I have had numerous customers contact me and complain that when they change mailbox permissions such as "Manage Full Access Permissions" in the GUI or by changing permissions in Exchange Management Shell, the permissions do not apply to end users.  Other times administrators remove permissions to a mailbox and complain that the user still has access to the mailbox.

I always end up explaining to my customer "the change will work, just wait longer".  I want to take a few seconds to look into what is happening.

When you change permissions on a mailbox, the permission is not being set on the mailbox but in fact in Active Directory.  It takes time for the Exchange server to commit the change made to the information store.  This is due to the MBI cache which runs on the Exchange information store.

The information store caches information contained in the directory store and by default re-reads it every 120 minutes.  Any change made to Active Directory such as a mailbox permission change is not read by the information store for at least 2 hours.  It is also important to note that if the information store is idol (not busy) for over 15 minutes it can update its MBI cache faster from Active Directory.

Is there a way I can force the permission change made to the Exchange server?  Yes there are two ways of achieving this:
  • Reboot the Exchange Server
  • Restart the Information Store service
Both of these methods will result in down time.

It is also possible to tweak how often the MRI cache is updated by the information store service by modifying the registry.  The MRI cache is controlled by two registry settings, "Mailbox Cache Age Limit" and "Mailbox Cache Idle Limit".  The default for these settings are as follows:

Mailbox Cache Age Limit = 120 minutes
Mailbox Cache Idle Limit = 15 minutes

These registry values are REG_DWORD and are located under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

NOTE: This registry entry is not a switch, it is a setting. If it is set to 1 the server rereads the cache every minute; if it is set to 2 the server rereads the cache every 2 minutes, and so forth.

If you change these registry keys you must restart the information store service for the change to take effect.

For more information about these registry values please see:

http://technet.microsoft.com/en-us/library/aa996988.aspx

As a general rule of thumb I would not recommend companies modify these default values, there is no need for it.  Just be patient and your permission change will automatically take effect.

In regards to Exchange 2013 I'm not sure if it follows the same behaviour as previous versions of Exchange such as 2007/2010.  In Exchange 2013 the information store has been overhauled and has been divided into separate worker processes responsible for each database.  Due to these architecture changes, the MBI cache may work/update differently.  If you are reading this and have experience with MRI cache and Exchange 2013, please feel free to comment below and share the knowledge!

4 comments:

  1. Thanks Clint, good explanation of an issue I had recently.

    ReplyDelete
  2. Thanks for the info. What do the MBI and MRI acronyms stand for?

    ReplyDelete
  3. MBI = Mail Box Information. Basically there is a structure in the memory space of the information store service process containing data related to mailboxes that are currently in use in some way. It is mostly comprised of Active Directory attributes. MRI is just a typo I believe.

    ReplyDelete
  4. Interesting article, but you do realise there are definitely cases where the permissions won't ever take effect (we've waited 48 hours in some cases), especially if you make a lot of changes in one go - it's almost as if there are too many alterations it just ignores them!

    ReplyDelete