Solved

Outlook 98 Inbox Security

Posted on 1999-01-26
38
326 Views
Last Modified: 2010-04-07
I am running Outlook 98 (ver 8.5.5104.6) on Windows NT 4.0 Workstation which communicates to an Exchange 5.5 (spk 1) Server. How can I prevent the following?:
When a user clicks on the File menu and chooses Open, Other User's Folder, they can open anyone's Inbox.
0
Comment
Question by:gennifer
  • 16
  • 12
  • 8
  • +1
38 Comments
 
LVL 9

Expert Comment

by:david_levine
Comment Utility
Try this:

Start Exchange Administrator and click on your Site. Then click on File | Properties. Then click on the Permissions Tab. Make sure that your domain users do NOT have User rights within Exchange Server. If they do, anyone will be able to open anyone else's inbox.

Let me know if that is the case or not.
0
 

Author Comment

by:gennifer
Comment Utility
Thanks for the reply. I have checked what you explain and in fact 'Domain Users' had 'User' rights. I removed domain users from the permissions tab. But, people can still freely open each others' Inbox!
0
 
LVL 9

Expert Comment

by:david_levine
Comment Utility
They might need to log out / in to lose it. You might also want to re-boot the server as well. If that still doesn't work, reject my answer and see if someone else can help.

David
0
 

Author Comment

by:gennifer
Comment Utility
This had no effect. Is there anything else that I can try?
0
 
LVL 1

Expert Comment

by:ajcortez
Comment Utility
A few questions.  First, are your clients storing their mail in a .pst (i.e, they have Personal Folders as a Service)? If so, are the .pst files on the server?  If they using the Exchange folders for their mail, right-click on the users Inbox in the Folder View.  Select Properties, and then Permissions.  Is the default permission set to None? Are they any permissions listed?

Depending on those answers, I may have a solution.

AJC
0
 

Author Comment

by:gennifer
Comment Utility
I am running the following services in Outlook 98:

Microsoft Exchange Server
Outlook Address Book
Personal Address Book

All clients have .pst files on their local drives, none are stored on the server. The properties for their mail (Exchange folders) is set for 'Default - none'. There is one permission listed and it is the clients name with properties set for owner.

Any help on this matter is much appreciated.

Thanks,
Gennifer
0
 
LVL 1

Expert Comment

by:ajcortez
Comment Utility
Hrmm... Since you don't have Personal Folders listed as a  Service, then those .pst files should be moot.  Their mail, by that setup, is being deliverd "Mailbox - Username." The Permissions shouldn't need to include the username. Just to be sure, go down one level in the folders to Inbox. Check properties there too, it should only have "Default - None" as the permission.

If that's the case, I think we may need to look back at Services, Exchange Server, Advanced and see what Logon Network Security is set to.

Keep at it.

AJC
0
 

Author Comment

by:gennifer
Comment Utility
The permissions are set to "Default - None". Do I need to check something on the Exchange Server? Every client is able to open each others 'Inbox', etc.. This is not good! Help, please!

Thanks,
Gennifer
0
 
LVL 1

Expert Comment

by:ajcortez
Comment Utility
On the client still, check out Services, Microsoft Exchange Server, Advanced.  What does it say at the bottom regarding Logon Network Security?

AJC
0
 

Author Comment

by:gennifer
Comment Utility
It says NT Password Authentication.
0
 
LVL 1

Expert Comment

by:ajcortez
Comment Utility
Another question or two. What service pack are you running on the NT Server where Exchange resides?  NT Server SP4 had some authentication issues with Exchange.  MS has a patch available if that is the case.

Secondly, in you the directory on that server what are the user rights?

Persistence counts
AJC
0
 

Author Comment

by:gennifer
Comment Utility
Exchange 5.5 with SPK1 running on NT Server 4.0 with SPK4.  In regards to your second question: What directory are you referring to? User rights are Domain Users and Everyone are set to READ for a CLIENT directory. Other than that, permissions are set for Admin, etc..
0
 
LVL 1

Expert Comment

by:ajcortez
Comment Utility
I checked with an Exchange guru.  He seems to think the problem is in the Exchange Container Permissions.  He thinks there is a group - likely Everyone - that has Service Rights to mail container.  You will need to go to that container and reset those rights.  Does any of this make sense to you?

AJC
0
 

Author Comment

by:gennifer
Comment Utility
The concept makes sense, but this simply is not the case. Unless i'm overlooking something - how do I go about checking the Exchange Container Permissions?
0
 
LVL 1

Expert Comment

by:ajcortez
Comment Utility
Try this
====
Start the Microsoft Exchange Administrator program.

On the Tools menu, click Options, and click the Permissions tab.

Make sure that the "Show Permissions Page for All Objects" and the "Display Rights for Roles on Permissions Page" check boxes are selected.

Next, choose the mailbox that needs to be opened by an additional user.

Select the Recipients container, and select the mailbox.

Double-click on the mailbox, or highlight the object and on the File menu, click Properties. Click on the Permissions tab.

In the "Windows NT accounts with Permissions" dialog box, click Add or Remove.

Select the Windows NT account to which you want to give access to the mailbox. Click Add, and click OK.
====
AJC


0
 

Author Comment

by:gennifer
Comment Utility
After doing what you suggested and rebooting the client and server, it had no effect.
0
 
LVL 1

Expert Comment

by:ajcortez
Comment Utility
In a word...bugger.

OK, what WERE the permissions set to?  Remember that permissions cascade down.  So if the users have rights granted from above they'll apply all the way down.  

Talked to two more Exchange admins.  They think it's in those permissions somewhere.  One more thing to check.  How are the users accessing the Exchange server?  Are they getting in as a group or individually?

If this is too much for a Friday night.  Worry about it next week.

AJC
0
 

Author Comment

by:gennifer
Comment Utility
Thanks for the persistence. All clients are accessing the server individually not as a group(s).
I will poke around with permissions and see what I can discover.

;~(

Look forward to chatting next week.
0
 
LVL 1

Expert Comment

by:ajcortez
Comment Utility
Once more into the breach...

Ok gennifer, there are quite a few places for inherited rights to be causing this trouble. The best way is to start from the top and work your way down.

In Exchange Admin, on the left side of the screen, to the top level container. Under File, check Properties, Permissions. You will have quite a few containers to to move to depending on how big the system is. Check Configuration, and Servers.  The Service Level permission has been granted to a group there.  The next thing to check is to see what to groups your users belong.  It's a bit cumbersome, but it's buried in there somewhere.

By the way, I don't think you mentioned how big this system is.  How many users/servers are we talking about?

Good luck
AJC
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 6

Expert Comment

by:reddarin
Comment Utility
astolfo,

There is only two ways to recover the information. Just so you know where I am coming from... I worked in Back Office Support for Microsoft Exchange. Several times I had network administrators on the phone that had their butts hanging in the wind because of something they had done that hosed the OST file(s). There is no true recovery for OST files. Period.

If the OST is truly orphaned, there is ONLY one way to try to get the information back: Restore the workstation from tape backup and log on by choosing ‘work off-line’. That’s it. There is no recovery, just restore and work off-line to get to the information.

The second possible way to get into the OST file <sort of time critical>: if you haven’t logged on to a new mailbox with the original profile, you can log on and choose work off-line. Export the information to a file and exit your session. This normally isn’t an option because as soon as you log on to the new mailbox with the original profile the old OST file is no longer accessible.

As a matter of fact, as a BOS engineer and a network administrator, I usually had the end user create a new profile. That left the old one intact and if it was necessary (about the time the user said ‘Oh my gosh, where are those emails I had created?’) we can log on to the old profile and work off-line to get the old email. No slight to the end user, it was my job to know about this type of issue not theirs.
gennifer,

Since the answer has been posted already, I'll post as a comment and clarify what has been said.

If all users can see all other users mailbox folders, then it is indeed a permissions issue on the Exchange Server.

There are 3 security context in Exchange. Open the Admin program. The top level object, and the first security context, is the Organization container. It is the highest level object on the right hand side. In my test environment, I have named it Yellowstone. The second security context is the Site Container, called BigBend on my test box. The third security context is the Configuration container. That is where your problem lies. The other two security context my be screwed up on your Exchange server, but this is the only one that would allow all users to see all users mailboxes if it is not set correctly.

If you haven’t exposed the permissions tab, do so now by clicking on Tools -> Options, then click the Permissions tab,then click the ‘Show Permissions page for all objects’ check box in the middle of the screen. You should also expose the rights by checking the second box there ‘Display rights for roles on Permissions page’.

Click on the Configuration container. Click on File->Properties. Click the Permissions tab. You will need to closely review the list box titled ‘Windows NT accounts with permissions’. This is where the users are getting permissions to see anyone’s mailbox.

One scenario off hand that I can think of that would give you the problem you are having is… Domain Users group has been added here. The only account that must be in this context is the service account. Remove all other accounts. Create a new account called ‘emergency’ or some such. Add it to the context. Now have someone log off of their machine and log back on. Start Outlook and try to open someone else’s folder.

Darin

0
 

Author Comment

by:gennifer
Comment Utility
I have checked the permissions on the Configuration Container as you have noted and found that there was an Administrator account with 'Permissions Administration' rights. I removed this and now people can't login to Outlook. Something about unable to open folders and insufficient rights to login.

Your help on this is much appreciated. I really am lucky that you are so nice to me on this matter and your persistence is amazing!

;~)
0
 
LVL 6

Expert Comment

by:reddarin
Comment Utility
Ah, so you have found the guilty account. Are you sure the account is not 'Administrators' with an 's'?

It looks like the group everyone is part of the administrators group and that is how they are accessing all mailboxes.

Check one of the mailboxes properties by double clicking on it in the admin program. At the bottom of the mailbox properties page you will see the NT Account associated with the mailbox. What account is it? Is it the administrators account? Is it blank?

Darin
0
 

Author Comment

by:gennifer
Comment Utility
I think that by removing the Admin. account with 'Permissions Admin.' from the Configuration Container did the trick! Thanks to you!

Now, by removing this: Is there any downside? Why was it put there in the first place? It was a default install.

I've checked the receipients and none have 'Admin' rights or belong to an Admin. group, so we should be in good shape.
0
 
LVL 1

Expert Comment

by:ajcortez
Comment Utility
Ooops.. That's one you should have held. You'll need to recreate that account. Since you are Admin of Exchange, add yourself with Permissions Administrator rights. Here is the MS explanation of what the roles are.  Hope this helps.  

Article ID: Q168753

AJC
0
 

Author Comment

by:gennifer
Comment Utility
Oh darn! I've tried adding myself 'Gennifer' (I have admin rights), but an error message pops up: the dialog box is 'Microsoft Exchange Administrator' and the message displayed is:
'You do not have the permissions required to complete the operation'
'Microsoft Exchange Directory ID no DS_E_INSUFFICIENT_ACCESS_RIGHTS'
0
 
LVL 6

Expert Comment

by:reddarin
Comment Utility
Hmmm. Do you know what account is the Exchange Service account? You can find that information by looking at the properties of the configuration container and clicking on the Service Account Password tab. That will show you the account being used as the Service Account.

Is that the account that you removed from the security context? If it was, put it back NOW. No kidding. Hurry.

Let me know.

Darin
0
 
LVL 6

Expert Comment

by:reddarin
Comment Utility
You will have to log in as the Service Account to make those changes now. Can you view the properties of the configuration object?

Darin
0
 

Author Comment

by:gennifer
Comment Utility
The only account in the Configuration Container is 'Exchange Services' with 'Service Account Admin.' rights. I believe that this should be the ONLY account for this container. Is this correct?
0
 
LVL 1

Expert Comment

by:ajcortez
Comment Utility
When you log in to the Exchange Server are you logging in as you or something like Administrator?
If that's the case, then  add Administrator as Permissions Admin and Service Account
0
 

Author Comment

by:gennifer
Comment Utility
I log into the Exchange Server as Administrator
0
 
LVL 6

Expert Comment

by:reddarin
Comment Utility
gennifer,

You are correct. The Exchange Service account is the only account that *must* be in that context.

However, in order to administer the server, you should create a new NT account.

From User Manager for Domains, make sure you are connected to the accounts domain (that should be the default) rather than the local machine. Select the Administrator account and hit F8. This creates a copy of the Administrator account. Name the new account something like ExAdmin, or whatever. If you are very security conscious you could call it something less conspicuous like ‘Fred Garvin’. Give the account your super-secret alphanumeric password.

Open the Exchange administrator program and put the new account into the 3 security context with Permissions Admin rights. Use this account to administer Exchange.

You should be good to go at this point.

Darin

0
 
LVL 6

Expert Comment

by:reddarin
Comment Utility
And, by the way, you may need to give the new account the right to log on locally to the Exchange server. At the job I just left, we always had Domain Admins with the right to log on locally. The domain Administrator account was a member of Domain Admins.

Darin
0
 

Author Comment

by:gennifer
Comment Utility
Will do. Thank you so much for your help and in-depth knowledge.

;~)
0
 
LVL 6

Expert Comment

by:reddarin
Comment Utility
My pleasure :)

Get ajcortez to re-post his comment about the security context as the answer. You can award him/her the points and we can close this puppy.

Darin
0
 
LVL 1

Accepted Solution

by:
ajcortez earned 50 total points
Comment Utility
So it WAS in the container settings after all. Darin deserves a share for hisr excellent details. So, I'll gladly accept gennifer's points, unless she wishes to give them to reddarin for spiking home my volley. In that case just reject this, gennifer and accept an answer from reddarin.   I'll go with it either way.

If you do accept this gennifer, and darin does want to share the points, I'll post a question for you to answer and receive your part.

At long last... victory.

AJC
0
 

Author Comment

by:gennifer
Comment Utility
Keep up the great work!
0
 
LVL 6

Expert Comment

by:reddarin
Comment Utility
AJC,

Nah, you get the prize for being first on with the answer. I don't mind helping out with some of the finer details of your answer.

Darin
0
 
LVL 1

Expert Comment

by:ajcortez
Comment Utility
Thanks gennifer, now don't let anyone touch that server EVER again :)
Darin, you're a gentleman and a scholar.
Now let's all go home.

AJC
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Use email signature images to promote corporate certifications and industry awards.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now