So our environment is basically we have an Exchange 2003 server, and we're attempting to move to Exchange 2010 gradually, and move to new hardware while we're at it.
So our first step was obviously to get Exchange 2010 installed on the new box. However, after running the domainprep steps listed in http://technet.microsoft.com/en-us/library/bb125224.aspx (including PrepareLegacyExchangePermissions) our mailbox permissions get messed up.
Normally, we have an AD security group for Exchange Administrators that allows anyone in that group to view all folders inside any user's mailbox. However, now, this functionality is gone and our Exchange Admins can't access anyone's mailboxes. We'd like to get this functionality back if we could.
Thanks
When you look at the ACL on a mailbox is your Exchange Administrators group still there? Or has it been removed.
Also there is normally a Deny entry in the ACL for Domain Admins, so even if you've got another group with Allow the Deny will override that.
Standard AD permissions on Exchange mailboxes include an explicit deny to the Domain Admins and Enterprise Admins groups (and some other ones); this ACE is applied at the organization level, and inherited by everything Exchange-related (including databases and mailboxes). I don't know how ALCs were configured in your environment, but there are very good chances the preparation steps of Exchange 2010 applied some default permissions which were different than what you are used to; the standard rule for Exchange is that nobody should have access to someone else's mailbox contents unless that kind of access is explicitly granted by the owner, and this is true for everyone, including Exchange Organization Administrators.
I suggest looking into actual object ACLs using some tool such as ADSIEdit; alternatively, you can manage security on the Exchange organization object (and downwards) using the "Services" node of the Active Directory Sites and Services console.