gennifer
asked on
Outlook 98 Inbox Security
I am running Outlook 98 (ver 8.5.5104.6) on Windows NT 4.0 Workstation which communicates to an Exchange 5.5 (spk 1) Server. How can I prevent the following?:
When a user clicks on the File menu and chooses Open, Other User's Folder, they can open anyone's Inbox.
When a user clicks on the File menu and chooses Open, Other User's Folder, they can open anyone's Inbox.
ASKER
Thanks for the reply. I have checked what you explain and in fact 'Domain Users' had 'User' rights. I removed domain users from the permissions tab. But, people can still freely open each others' Inbox!
They might need to log out / in to lose it. You might also want to re-boot the server as well. If that still doesn't work, reject my answer and see if someone else can help.
David
David
ASKER
This had no effect. Is there anything else that I can try?
A few questions. First, are your clients storing their mail in a .pst (i.e, they have Personal Folders as a Service)? If so, are the .pst files on the server? If they using the Exchange folders for their mail, right-click on the users Inbox in the Folder View. Select Properties, and then Permissions. Is the default permission set to None? Are they any permissions listed?
Depending on those answers, I may have a solution.
AJC
Depending on those answers, I may have a solution.
AJC
ASKER
I am running the following services in Outlook 98:
Microsoft Exchange Server
Outlook Address Book
Personal Address Book
All clients have .pst files on their local drives, none are stored on the server. The properties for their mail (Exchange folders) is set for 'Default - none'. There is one permission listed and it is the clients name with properties set for owner.
Any help on this matter is much appreciated.
Thanks,
Gennifer
Microsoft Exchange Server
Outlook Address Book
Personal Address Book
All clients have .pst files on their local drives, none are stored on the server. The properties for their mail (Exchange folders) is set for 'Default - none'. There is one permission listed and it is the clients name with properties set for owner.
Any help on this matter is much appreciated.
Thanks,
Gennifer
Hrmm... Since you don't have Personal Folders listed as a Service, then those .pst files should be moot. Their mail, by that setup, is being deliverd "Mailbox - Username." The Permissions shouldn't need to include the username. Just to be sure, go down one level in the folders to Inbox. Check properties there too, it should only have "Default - None" as the permission.
If that's the case, I think we may need to look back at Services, Exchange Server, Advanced and see what Logon Network Security is set to.
Keep at it.
AJC
If that's the case, I think we may need to look back at Services, Exchange Server, Advanced and see what Logon Network Security is set to.
Keep at it.
AJC
ASKER
The permissions are set to "Default - None". Do I need to check something on the Exchange Server? Every client is able to open each others 'Inbox', etc.. This is not good! Help, please!
Thanks,
Gennifer
Thanks,
Gennifer
On the client still, check out Services, Microsoft Exchange Server, Advanced. What does it say at the bottom regarding Logon Network Security?
AJC
AJC
ASKER
It says NT Password Authentication.
Another question or two. What service pack are you running on the NT Server where Exchange resides? NT Server SP4 had some authentication issues with Exchange. MS has a patch available if that is the case.
Secondly, in you the directory on that server what are the user rights?
Persistence counts
AJC
Secondly, in you the directory on that server what are the user rights?
Persistence counts
AJC
ASKER
Exchange 5.5 with SPK1 running on NT Server 4.0 with SPK4. In regards to your second question: What directory are you referring to? User rights are Domain Users and Everyone are set to READ for a CLIENT directory. Other than that, permissions are set for Admin, etc..
I checked with an Exchange guru. He seems to think the problem is in the Exchange Container Permissions. He thinks there is a group - likely Everyone - that has Service Rights to mail container. You will need to go to that container and reset those rights. Does any of this make sense to you?
AJC
AJC
ASKER
The concept makes sense, but this simply is not the case. Unless i'm overlooking something - how do I go about checking the Exchange Container Permissions?
Try this
====
Start the Microsoft Exchange Administrator program.
On the Tools menu, click Options, and click the Permissions tab.
Make sure that the "Show Permissions Page for All Objects" and the "Display Rights for Roles on Permissions Page" check boxes are selected.
Next, choose the mailbox that needs to be opened by an additional user.
Select the Recipients container, and select the mailbox.
Double-click on the mailbox, or highlight the object and on the File menu, click Properties. Click on the Permissions tab.
In the "Windows NT accounts with Permissions" dialog box, click Add or Remove.
Select the Windows NT account to which you want to give access to the mailbox. Click Add, and click OK.
====
AJC
====
Start the Microsoft Exchange Administrator program.
On the Tools menu, click Options, and click the Permissions tab.
Make sure that the "Show Permissions Page for All Objects" and the "Display Rights for Roles on Permissions Page" check boxes are selected.
Next, choose the mailbox that needs to be opened by an additional user.
Select the Recipients container, and select the mailbox.
Double-click on the mailbox, or highlight the object and on the File menu, click Properties. Click on the Permissions tab.
In the "Windows NT accounts with Permissions" dialog box, click Add or Remove.
Select the Windows NT account to which you want to give access to the mailbox. Click Add, and click OK.
====
AJC
ASKER
After doing what you suggested and rebooting the client and server, it had no effect.
In a word...bugger.
OK, what WERE the permissions set to? Remember that permissions cascade down. So if the users have rights granted from above they'll apply all the way down.
Talked to two more Exchange admins. They think it's in those permissions somewhere. One more thing to check. How are the users accessing the Exchange server? Are they getting in as a group or individually?
If this is too much for a Friday night. Worry about it next week.
AJC
OK, what WERE the permissions set to? Remember that permissions cascade down. So if the users have rights granted from above they'll apply all the way down.
Talked to two more Exchange admins. They think it's in those permissions somewhere. One more thing to check. How are the users accessing the Exchange server? Are they getting in as a group or individually?
If this is too much for a Friday night. Worry about it next week.
AJC
ASKER
Thanks for the persistence. All clients are accessing the server individually not as a group(s).
I will poke around with permissions and see what I can discover.
;~(
Look forward to chatting next week.
I will poke around with permissions and see what I can discover.
;~(
Look forward to chatting next week.
Once more into the breach...
Ok gennifer, there are quite a few places for inherited rights to be causing this trouble. The best way is to start from the top and work your way down.
In Exchange Admin, on the left side of the screen, to the top level container. Under File, check Properties, Permissions. You will have quite a few containers to to move to depending on how big the system is. Check Configuration, and Servers. The Service Level permission has been granted to a group there. The next thing to check is to see what to groups your users belong. It's a bit cumbersome, but it's buried in there somewhere.
By the way, I don't think you mentioned how big this system is. How many users/servers are we talking about?
Good luck
AJC
Ok gennifer, there are quite a few places for inherited rights to be causing this trouble. The best way is to start from the top and work your way down.
In Exchange Admin, on the left side of the screen, to the top level container. Under File, check Properties, Permissions. You will have quite a few containers to to move to depending on how big the system is. Check Configuration, and Servers. The Service Level permission has been granted to a group there. The next thing to check is to see what to groups your users belong. It's a bit cumbersome, but it's buried in there somewhere.
By the way, I don't think you mentioned how big this system is. How many users/servers are we talking about?
Good luck
AJC
astolfo,
There is only two ways to recover the information. Just so you know where I am coming from... I worked in Back Office Support for Microsoft Exchange. Several times I had network administrators on the phone that had their butts hanging in the wind because of something they had done that hosed the OST file(s). There is no true recovery for OST files. Period.
If the OST is truly orphaned, there is ONLY one way to try to get the information back: Restore the workstation from tape backup and log on by choosing ‘work off-line’. That’s it. There is no recovery, just restore and work off-line to get to the information.
The second possible way to get into the OST file <sort of time critical>: if you haven’t logged on to a new mailbox with the original profile, you can log on and choose work off-line. Export the information to a file and exit your session. This normally isn’t an option because as soon as you log on to the new mailbox with the original profile the old OST file is no longer accessible.
As a matter of fact, as a BOS engineer and a network administrator, I usually had the end user create a new profile. That left the old one intact and if it was necessary (about the time the user said ‘Oh my gosh, where are those emails I had created?’) we can log on to the old profile and work off-line to get the old email. No slight to the end user, it was my job to know about this type of issue not theirs.
gennifer,
Since the answer has been posted already, I'll post as a comment and clarify what has been said.
If all users can see all other users mailbox folders, then it is indeed a permissions issue on the Exchange Server.
There are 3 security context in Exchange. Open the Admin program. The top level object, and the first security context, is the Organization container. It is the highest level object on the right hand side. In my test environment, I have named it Yellowstone. The second security context is the Site Container, called BigBend on my test box. The third security context is the Configuration container. That is where your problem lies. The other two security context my be screwed up on your Exchange server, but this is the only one that would allow all users to see all users mailboxes if it is not set correctly.
If you haven’t exposed the permissions tab, do so now by clicking on Tools -> Options, then click the Permissions tab,then click the ‘Show Permissions page for all objects’ check box in the middle of the screen. You should also expose the rights by checking the second box there ‘Display rights for roles on Permissions page’.
Click on the Configuration container. Click on File->Properties. Click the Permissions tab. You will need to closely review the list box titled ‘Windows NT accounts with permissions’. This is where the users are getting permissions to see anyone’s mailbox.
One scenario off hand that I can think of that would give you the problem you are having is… Domain Users group has been added here. The only account that must be in this context is the service account. Remove all other accounts. Create a new account called ‘emergency’ or some such. Add it to the context. Now have someone log off of their machine and log back on. Start Outlook and try to open someone else’s folder.
Darin
There is only two ways to recover the information. Just so you know where I am coming from... I worked in Back Office Support for Microsoft Exchange. Several times I had network administrators on the phone that had their butts hanging in the wind because of something they had done that hosed the OST file(s). There is no true recovery for OST files. Period.
If the OST is truly orphaned, there is ONLY one way to try to get the information back: Restore the workstation from tape backup and log on by choosing ‘work off-line’. That’s it. There is no recovery, just restore and work off-line to get to the information.
The second possible way to get into the OST file <sort of time critical>: if you haven’t logged on to a new mailbox with the original profile, you can log on and choose work off-line. Export the information to a file and exit your session. This normally isn’t an option because as soon as you log on to the new mailbox with the original profile the old OST file is no longer accessible.
As a matter of fact, as a BOS engineer and a network administrator, I usually had the end user create a new profile. That left the old one intact and if it was necessary (about the time the user said ‘Oh my gosh, where are those emails I had created?’) we can log on to the old profile and work off-line to get the old email. No slight to the end user, it was my job to know about this type of issue not theirs.
gennifer,
Since the answer has been posted already, I'll post as a comment and clarify what has been said.
If all users can see all other users mailbox folders, then it is indeed a permissions issue on the Exchange Server.
There are 3 security context in Exchange. Open the Admin program. The top level object, and the first security context, is the Organization container. It is the highest level object on the right hand side. In my test environment, I have named it Yellowstone. The second security context is the Site Container, called BigBend on my test box. The third security context is the Configuration container. That is where your problem lies. The other two security context my be screwed up on your Exchange server, but this is the only one that would allow all users to see all users mailboxes if it is not set correctly.
If you haven’t exposed the permissions tab, do so now by clicking on Tools -> Options, then click the Permissions tab,then click the ‘Show Permissions page for all objects’ check box in the middle of the screen. You should also expose the rights by checking the second box there ‘Display rights for roles on Permissions page’.
Click on the Configuration container. Click on File->Properties. Click the Permissions tab. You will need to closely review the list box titled ‘Windows NT accounts with permissions’. This is where the users are getting permissions to see anyone’s mailbox.
One scenario off hand that I can think of that would give you the problem you are having is… Domain Users group has been added here. The only account that must be in this context is the service account. Remove all other accounts. Create a new account called ‘emergency’ or some such. Add it to the context. Now have someone log off of their machine and log back on. Start Outlook and try to open someone else’s folder.
Darin
ASKER
I have checked the permissions on the Configuration Container as you have noted and found that there was an Administrator account with 'Permissions Administration' rights. I removed this and now people can't login to Outlook. Something about unable to open folders and insufficient rights to login.
Your help on this is much appreciated. I really am lucky that you are so nice to me on this matter and your persistence is amazing!
;~)
Your help on this is much appreciated. I really am lucky that you are so nice to me on this matter and your persistence is amazing!
;~)
Ah, so you have found the guilty account. Are you sure the account is not 'Administrators' with an 's'?
It looks like the group everyone is part of the administrators group and that is how they are accessing all mailboxes.
Check one of the mailboxes properties by double clicking on it in the admin program. At the bottom of the mailbox properties page you will see the NT Account associated with the mailbox. What account is it? Is it the administrators account? Is it blank?
Darin
It looks like the group everyone is part of the administrators group and that is how they are accessing all mailboxes.
Check one of the mailboxes properties by double clicking on it in the admin program. At the bottom of the mailbox properties page you will see the NT Account associated with the mailbox. What account is it? Is it the administrators account? Is it blank?
Darin
ASKER
I think that by removing the Admin. account with 'Permissions Admin.' from the Configuration Container did the trick! Thanks to you!
Now, by removing this: Is there any downside? Why was it put there in the first place? It was a default install.
I've checked the receipients and none have 'Admin' rights or belong to an Admin. group, so we should be in good shape.
Now, by removing this: Is there any downside? Why was it put there in the first place? It was a default install.
I've checked the receipients and none have 'Admin' rights or belong to an Admin. group, so we should be in good shape.
Ooops.. That's one you should have held. You'll need to recreate that account. Since you are Admin of Exchange, add yourself with Permissions Administrator rights. Here is the MS explanation of what the roles are. Hope this helps.
Article ID: Q168753
AJC
Article ID: Q168753
AJC
ASKER
Oh darn! I've tried adding myself 'Gennifer' (I have admin rights), but an error message pops up: the dialog box is 'Microsoft Exchange Administrator' and the message displayed is:
'You do not have the permissions required to complete the operation'
'Microsoft Exchange Directory ID no DS_E_INSUFFICIENT_ACCESS_R
'You do not have the permissions required to complete the operation'
'Microsoft Exchange Directory ID no DS_E_INSUFFICIENT_ACCESS_R
Hmmm. Do you know what account is the Exchange Service account? You can find that information by looking at the properties of the configuration container and clicking on the Service Account Password tab. That will show you the account being used as the Service Account.
Is that the account that you removed from the security context? If it was, put it back NOW. No kidding. Hurry.
Let me know.
Darin
Is that the account that you removed from the security context? If it was, put it back NOW. No kidding. Hurry.
Let me know.
Darin
You will have to log in as the Service Account to make those changes now. Can you view the properties of the configuration object?
Darin
Darin
ASKER
The only account in the Configuration Container is 'Exchange Services' with 'Service Account Admin.' rights. I believe that this should be the ONLY account for this container. Is this correct?
When you log in to the Exchange Server are you logging in as you or something like Administrator?
If that's the case, then add Administrator as Permissions Admin and Service Account
If that's the case, then add Administrator as Permissions Admin and Service Account
ASKER
I log into the Exchange Server as Administrator
gennifer,
You are correct. The Exchange Service account is the only account that *must* be in that context.
However, in order to administer the server, you should create a new NT account.
From User Manager for Domains, make sure you are connected to the accounts domain (that should be the default) rather than the local machine. Select the Administrator account and hit F8. This creates a copy of the Administrator account. Name the new account something like ExAdmin, or whatever. If you are very security conscious you could call it something less conspicuous like ‘Fred Garvin’. Give the account your super-secret alphanumeric password.
Open the Exchange administrator program and put the new account into the 3 security context with Permissions Admin rights. Use this account to administer Exchange.
You should be good to go at this point.
Darin
You are correct. The Exchange Service account is the only account that *must* be in that context.
However, in order to administer the server, you should create a new NT account.
From User Manager for Domains, make sure you are connected to the accounts domain (that should be the default) rather than the local machine. Select the Administrator account and hit F8. This creates a copy of the Administrator account. Name the new account something like ExAdmin, or whatever. If you are very security conscious you could call it something less conspicuous like ‘Fred Garvin’. Give the account your super-secret alphanumeric password.
Open the Exchange administrator program and put the new account into the 3 security context with Permissions Admin rights. Use this account to administer Exchange.
You should be good to go at this point.
Darin
And, by the way, you may need to give the new account the right to log on locally to the Exchange server. At the job I just left, we always had Domain Admins with the right to log on locally. The domain Administrator account was a member of Domain Admins.
Darin
Darin
ASKER
Will do. Thank you so much for your help and in-depth knowledge.
;~)
;~)
My pleasure :)
Get ajcortez to re-post his comment about the security context as the answer. You can award him/her the points and we can close this puppy.
Darin
Get ajcortez to re-post his comment about the security context as the answer. You can award him/her the points and we can close this puppy.
Darin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Keep up the great work!
AJC,
Nah, you get the prize for being first on with the answer. I don't mind helping out with some of the finer details of your answer.
Darin
Nah, you get the prize for being first on with the answer. I don't mind helping out with some of the finer details of your answer.
Darin
Thanks gennifer, now don't let anyone touch that server EVER again :)
Darin, you're a gentleman and a scholar.
Now let's all go home.
AJC
Darin, you're a gentleman and a scholar.
Now let's all go home.
AJC
Start Exchange Administrator and click on your Site. Then click on File | Properties. Then click on the Permissions Tab. Make sure that your domain users do NOT have User rights within Exchange Server. If they do, anyone will be able to open anyone else's inbox.
Let me know if that is the case or not.