Running Ex2k SP1 on Win2k Server SP2, with Ex2k server as 
Domain Controller.
I instantiate a CDO.Message object in ASP and execute the 
Send method, upon which I get an "Access is denied" error. 
The user is a normal domain user in Active Directory and 
can send emails when using OWA.
A Domain Admin user can send emails without problems.
Other commands, as objMessage.DataSource.SaveToContainer 
can be executed by any user without problems.

What kind of permissions configuration am I lacking?

Sounds like the user doesn't have permissions to submit the message to 
the local pickup directory of the SMTP service. Or do you use CDOSYS 
with a configuration object and submit the message to a remote 
server/port?

<Siegfried />

> -----Original Message-----
> From: Morten Gr=F8tan [mailto:morten.grotan@e...]
> Sent: Wednesday, March 20, 2002 3:06 PM
> To: ASP CDO
> Subject: [asp_cdo] "Access is denied" when sending messages
>
> Running Ex2k SP1 on Win2k Server SP2, with Ex2k server as
> Domain Controller.
> I instantiate a CDO.Message object in ASP and execute the
> Send method, upon which I get an "Access is denied" error.
> The user is a normal domain user in Active Directory and
> can send emails when using OWA.
> A Domain Admin user can send emails without problems.
> Other commands, as objMessage.DataSource.SaveToContainer
> can be executed by any user without problems.
>
> What kind of permissions configuration am I lacking?

Please keep replies to the list so that everybody can participate in the
answer. Thank you!

Having said that, see my comments inline...

> -----Original Message-----
> From: Sandor Debreczeni (IntDev) [mailto:debreczeni@i...]
> Sent: Wednesday, March 27, 2002 3:54 AM
> To: Siegfried Weber
> Subject: Re: [asp_cdo] RE: "Access is denied" when sending messages
>
> *	Allow IUSR_xxxx or the the given user account READ access to
> Exchange directories, such as C:\Program Files\exchsrvr\mdbdata on the
> server (emails are stored there)

This is not necessary and actually is a security breach I would not make
at all. The above directory holds the Exchange 5.5/2000 database files.
Those need to be accessible *only* by the Exchange Information Store
service itself and *not* by any user account except the Administrator.

> *	Allow the same rights to Program Files\Common Files folders,
such as
> CDO under Microsoft Shared, and WINNT\SYSTEM32 folder

This is absolutely not necessary to be done manually because it is
already set up by default.

> *	Register CDOSYS.DLL, or CDOEX.DLL with regsrv32 such as
> "regsvr32.exe cdoex.dll" or

This is *not* necessary on a Windows 2000/Exchange 2000 machine. Those
libraries are installed and registered properly. If not the system
configuration is damaged and needs to be rebuild. Note that on a plain
Windows 2000 machine CDOEX does *not* exist and there is *no* supported
way to install it without installing Exchange 2000 Server itself.

> 	" regsvr32.exe 'c:\program files\exchsrvr\bin\cdo.dll' "

Again.. This is *not* necessary on a Windows 2000/Exchange 2000 machine.
This library is installed and registered properly. If not the system
configuration is damaged and needs to be rebuild.

> *	Give the accounts READ access to all exchange registration
> information (use regedit.exe or regedt32.exe)

I don't know what "exchange registration information" you are referring
here. But I just can tell that this is not necessary if the system
installation hasn't been screwed up.

I'm pleased to tell that the problem has been solved! First of all SP2 for 
Ex2k must be installed, as there is a confirmed bug regarding Domain Users 
not being able to send emails this way when the Ex2k server is also a 
Domain Controller.

The second thing you have to do is play around with some of the security 
policies. This is only necessary when the Ex2k server is also a Domain 
Controller, as the security policies are then tightened somewhat (only 
admins are allowed to do things programmatically by default). The only 
thing you have to change is the "Log On Locally" policy under "Domain 
Controller Security Policy". There you must add "Domain Users". As this 
setting has been set for the Domain Controller it is "inherited" down to 
the regular "Local Security Policy" (checkbox "Policies in effect" is 
checked for the corresponding local policy).

Case closed!

I forgot to tell that you also have to use a configuration object in order 
for it to work. Plain invocation of the Send method still returns "Access 
is denied" without a configuration object. I don't have the syntax for it 
right here, but it involved setting the "sendusing" property as well as 
the mailbox url. One bonus with using a configuration object this way is 
that the sent message will automatically be put in the "Sent items" 
container. You don't have to invoke "...DataSource.SaveToContainer" 
afterwards.