Today in the implementation of an Exchange 2010 project, found that some user OWA after the row moved to not be able to access, both display the user name and password error, after seeing this problem I think may be caused by user rights and policy reasons, perform a few steps:
1. Locate the user who has the problem, copy the user to create a new account, which is to avoid destroying the original user's attribute configuration during the test;
2. See if OWA can be accessed by modifying group members and moving to other OUs;
3. OWA is still inaccessible, suspected user account "attribute" problem, check the user security attributes, compared with normal, Microsoft also has a solution that causes OWA to be inaccessible for this reason. Shown in the following red font:
Reason
This exception may occur if the Allow Inheritable Permissions check box is not selected on the user object or OU container in Active Directory users and computers.
You should also verify that the Exchange Servers group appears on the Security tab of the top-level domain container. The top-level container requires this security group, and the security group must be propagated to each organizational unit that contains the user before the user can successfully log on to Outlook Web Access. Before you begin
To perform the following steps, you must delegate Domain Administrators group membership to the account that you use.
For more information about the permissions, role delegation, and rights that are required to manage Microsoft Exchange Server 2007, see Permissions considerations. Steps to set permissions for users and organizational units by using Active Directory users and Computers
Open the Active Directory Users and Computers snap-in.
On the View menu, click Advanced Features.
Open the properties of a user who cannot log on to Outlook Web Access.
Click the Security tab, and then click Advanced.
Select the Allow Inheritable Permissions check box if it is not already selected.
Repeat steps 3 through 5 for each organizational unit between the user object and the top-level container.
Allow time for replication. To set permissions for a top-level container by using Active Directory users and Computers
Open the Active Directory Users and Computers snap-in.
On the View menu, click Advanced Features.
Open the top-level container property in the domain of the user who cannot log on.
Click the Security tab.
Verify that the Exchange Servers group appears in the group name or user name list. If it does not appear in the list, the group is added. You do not have to set permissions for the Exchange Servers group.
In fact, I touched the problem today the above method is not resolved, this is because the ad user attribute is set to only allow this user to log on to a computer cause, cause this problem and exchange version does not necessarily have a relationship, although previously encountered this problem, and can quickly find a solution, But it took a long time to think about the same problem today, so it is necessary to write it down in the blog for future retrieval.