We created a new generic mailbox in Exchange 2010. Created a group (Global) and added the users to it. We then created a Universal group, added the Global group to it and then added the Universal group to the mailbox with full mailbox permissions.
After the obligatory wait 24 hours for Exchange to update it’s permissions 4 of the 5 users in the Global group had access to the generic mailbox. The 5th user could not access the mailbox via their Outlook or Webmail. Permission denied errors.
We tried removing/re-adding them from the group with no success. We tried migrating their mailbox back and forth with no success.
Finally after some digging we thing we figured out the problem.
The user in question had originally been migrated from Exchange 2003 to 2010. Then at some point while on Exchange 2010 we had to purge/re-create their Mailbox.
The process of purging re-creating their mailbox changed their LegacyDN to the new, correct, format for Exchange 2010 and dumped their old Exchange 2003 LegacyDN.
To view a users legacy DN run the following Powershell command:
Get-MailboxStatistics -Identity <USERNAME>
# For Exchange 2007 or newer you'll see a LegacyDN like this:
LegacyDN : /O=<ORGANIZATION>/OU=EXCHANGE ADMINISTRATIVE GROUP (<RANDOM LETTERS/NUMBER>)/CN=RECIPIENTS/CN=<USERNAME>
# For Exchange 2003 or older you'll see a LegacyDN like this:
LegacyDN : /O=<ORGANIZATION>/OU=<DOMAIN>/CN=RECIPIENTS/CN=<USERNAME>
What we ended up doing is re-creating their LegacyDN from Exchange 2003 as a new X500 record and then they were instantly able to access the generic mailbox.
It could always be coincidence…..