Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Outlook 98 Inbox Security

Posted on 1999-01-26
38
330 Views
Last Modified: 2010-04-07
I am running Outlook 98 (ver 8.5.5104.6) on Windows NT 4.0 Workstation which communicates to an Exchange 5.5 (spk 1) Server. How can I prevent the following?:
When a user clicks on the File menu and chooses Open, Other User's Folder, they can open anyone's Inbox.
0
Comment
Question by:gennifer
  • 16
  • 12
  • 8
  • +1
38 Comments
 
LVL 9

Expert Comment

by:david_levine
ID: 1622747
Try this:

Start Exchange Administrator and click on your Site. Then click on File | Properties. Then click on the Permissions Tab. Make sure that your domain users do NOT have User rights within Exchange Server. If they do, anyone will be able to open anyone else's inbox.

Let me know if that is the case or not.
0
 

Author Comment

by:gennifer
ID: 1622748
Thanks for the reply. I have checked what you explain and in fact 'Domain Users' had 'User' rights. I removed domain users from the permissions tab. But, people can still freely open each others' Inbox!
0
 
LVL 9

Expert Comment

by:david_levine
ID: 1622749
They might need to log out / in to lose it. You might also want to re-boot the server as well. If that still doesn't work, reject my answer and see if someone else can help.

David
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:gennifer
ID: 1622750
This had no effect. Is there anything else that I can try?
0
 
LVL 1

Expert Comment

by:ajcortez
ID: 1622751
A few questions.  First, are your clients storing their mail in a .pst (i.e, they have Personal Folders as a Service)? If so, are the .pst files on the server?  If they using the Exchange folders for their mail, right-click on the users Inbox in the Folder View.  Select Properties, and then Permissions.  Is the default permission set to None? Are they any permissions listed?

Depending on those answers, I may have a solution.

AJC
0
 

Author Comment

by:gennifer
ID: 1622752
I am running the following services in Outlook 98:

Microsoft Exchange Server
Outlook Address Book
Personal Address Book

All clients have .pst files on their local drives, none are stored on the server. The properties for their mail (Exchange folders) is set for 'Default - none'. There is one permission listed and it is the clients name with properties set for owner.

Any help on this matter is much appreciated.

Thanks,
Gennifer
0
 
LVL 1

Expert Comment

by:ajcortez
ID: 1622753
Hrmm... Since you don't have Personal Folders listed as a  Service, then those .pst files should be moot.  Their mail, by that setup, is being deliverd "Mailbox - Username." The Permissions shouldn't need to include the username. Just to be sure, go down one level in the folders to Inbox. Check properties there too, it should only have "Default - None" as the permission.

If that's the case, I think we may need to look back at Services, Exchange Server, Advanced and see what Logon Network Security is set to.

Keep at it.

AJC
0
 

Author Comment

by:gennifer
ID: 1622754
The permissions are set to "Default - None". Do I need to check something on the Exchange Server? Every client is able to open each others 'Inbox', etc.. This is not good! Help, please!

Thanks,
Gennifer
0
 
LVL 1

Expert Comment

by:ajcortez
ID: 1622755
On the client still, check out Services, Microsoft Exchange Server, Advanced.  What does it say at the bottom regarding Logon Network Security?

AJC
0
 

Author Comment

by:gennifer
ID: 1622756
It says NT Password Authentication.
0
 
LVL 1

Expert Comment

by:ajcortez
ID: 1622757
Another question or two. What service pack are you running on the NT Server where Exchange resides?  NT Server SP4 had some authentication issues with Exchange.  MS has a patch available if that is the case.

Secondly, in you the directory on that server what are the user rights?

Persistence counts
AJC
0
 

Author Comment

by:gennifer
ID: 1622758
Exchange 5.5 with SPK1 running on NT Server 4.0 with SPK4.  In regards to your second question: What directory are you referring to? User rights are Domain Users and Everyone are set to READ for a CLIENT directory. Other than that, permissions are set for Admin, etc..
0
 
LVL 1

Expert Comment

by:ajcortez
ID: 1622759
I checked with an Exchange guru.  He seems to think the problem is in the Exchange Container Permissions.  He thinks there is a group - likely Everyone - that has Service Rights to mail container.  You will need to go to that container and reset those rights.  Does any of this make sense to you?

AJC
0
 

Author Comment

by:gennifer
ID: 1622760
The concept makes sense, but this simply is not the case. Unless i'm overlooking something - how do I go about checking the Exchange Container Permissions?
0
 
LVL 1

Expert Comment

by:ajcortez
ID: 1622761
Try this
====
Start the Microsoft Exchange Administrator program.

On the Tools menu, click Options, and click the Permissions tab.

Make sure that the "Show Permissions Page for All Objects" and the "Display Rights for Roles on Permissions Page" check boxes are selected.

Next, choose the mailbox that needs to be opened by an additional user.

Select the Recipients container, and select the mailbox.

Double-click on the mailbox, or highlight the object and on the File menu, click Properties. Click on the Permissions tab.

In the "Windows NT accounts with Permissions" dialog box, click Add or Remove.

Select the Windows NT account to which you want to give access to the mailbox. Click Add, and click OK.
====
AJC


0
 

Author Comment

by:gennifer
ID: 1622762
After doing what you suggested and rebooting the client and server, it had no effect.
0
 
LVL 1

Expert Comment

by:ajcortez
ID: 1622763
In a word...bugger.

OK, what WERE the permissions set to?  Remember that permissions cascade down.  So if the users have rights granted from above they'll apply all the way down.  

Talked to two more Exchange admins.  They think it's in those permissions somewhere.  One more thing to check.  How are the users accessing the Exchange server?  Are they getting in as a group or individually?

If this is too much for a Friday night.  Worry about it next week.

AJC
0
 

Author Comment

by:gennifer
ID: 1622764
Thanks for the persistence. All clients are accessing the server individually not as a group(s).
I will poke around with permissions and see what I can discover.

;~(

Look forward to chatting next week.
0
 
LVL 1

Expert Comment

by:ajcortez
ID: 1622765
Once more into the breach...

Ok gennifer, there are quite a few places for inherited rights to be causing this trouble. The best way is to start from the top and work your way down.

In Exchange Admin, on the left side of the screen, to the top level container. Under File, check Properties, Permissions. You will have quite a few containers to to move to depending on how big the system is. Check Configuration, and Servers.  The Service Level permission has been granted to a group there.  The next thing to check is to see what to groups your users belong.  It's a bit cumbersome, but it's buried in there somewhere.

By the way, I don't think you mentioned how big this system is.  How many users/servers are we talking about?

Good luck
AJC
0
 
LVL 6

Expert Comment

by:reddarin
ID: 1622766
astolfo,

There is only two ways to recover the information. Just so you know where I am coming from... I worked in Back Office Support for Microsoft Exchange. Several times I had network administrators on the phone that had their butts hanging in the wind because of something they had done that hosed the OST file(s). There is no true recovery for OST files. Period.

If the OST is truly orphaned, there is ONLY one way to try to get the information back: Restore the workstation from tape backup and log on by choosing ‘work off-line’. That’s it. There is no recovery, just restore and work off-line to get to the information.

The second possible way to get into the OST file <sort of time critical>: if you haven’t logged on to a new mailbox with the original profile, you can log on and choose work off-line. Export the information to a file and exit your session. This normally isn’t an option because as soon as you log on to the new mailbox with the original profile the old OST file is no longer accessible.

As a matter of fact, as a BOS engineer and a network administrator, I usually had the end user create a new profile. That left the old one intact and if it was necessary (about the time the user said ‘Oh my gosh, where are those emails I had created?’) we can log on to the old profile and work off-line to get the old email. No slight to the end user, it was my job to know about this type of issue not theirs.
gennifer,

Since the answer has been posted already, I'll post as a comment and clarify what has been said.

If all users can see all other users mailbox folders, then it is indeed a permissions issue on the Exchange Server.

There are 3 security context in Exchange. Open the Admin program. The top level object, and the first security context, is the Organization container. It is the highest level object on the right hand side. In my test environment, I have named it Yellowstone. The second security context is the Site Container, called BigBend on my test box. The third security context is the Configuration container. That is where your problem lies. The other two security context my be screwed up on your Exchange server, but this is the only one that would allow all users to see all users mailboxes if it is not set correctly.

If you haven’t exposed the permissions tab, do so now by clicking on Tools -> Options, then click the Permissions tab,then click the ‘Show Permissions page for all objects’ check box in the middle of the screen. You should also expose the rights by checking the second box there ‘Display rights for roles on Permissions page’.

Click on the Configuration container. Click on File->Properties. Click the Permissions tab. You will need to closely review the list box titled ‘Windows NT accounts with permissions’. This is where the users are getting permissions to see anyone’s mailbox.

One scenario off hand that I can think of that would give you the problem you are having is… Domain Users group has been added here. The only account that must be in this context is the service account. Remove all other accounts. Create a new account called ‘emergency’ or some such. Add it to the context. Now have someone log off of their machine and log back on. Start Outlook and try to open someone else’s folder.

Darin

0
 

Author Comment

by:gennifer
ID: 1622767
I have checked the permissions on the Configuration Container as you have noted and found that there was an Administrator account with 'Permissions Administration' rights. I removed this and now people can't login to Outlook. Something about unable to open folders and insufficient rights to login.

Your help on this is much appreciated. I really am lucky that you are so nice to me on this matter and your persistence is amazing!

;~)
0
 
LVL 6

Expert Comment

by:reddarin
ID: 1622768
Ah, so you have found the guilty account. Are you sure the account is not 'Administrators' with an 's'?

It looks like the group everyone is part of the administrators group and that is how they are accessing all mailboxes.

Check one of the mailboxes properties by double clicking on it in the admin program. At the bottom of the mailbox properties page you will see the NT Account associated with the mailbox. What account is it? Is it the administrators account? Is it blank?

Darin
0
 

Author Comment

by:gennifer
ID: 1622769
I think that by removing the Admin. account with 'Permissions Admin.' from the Configuration Container did the trick! Thanks to you!

Now, by removing this: Is there any downside? Why was it put there in the first place? It was a default install.

I've checked the receipients and none have 'Admin' rights or belong to an Admin. group, so we should be in good shape.
0
 
LVL 1

Expert Comment

by:ajcortez
ID: 1622770
Ooops.. That's one you should have held. You'll need to recreate that account. Since you are Admin of Exchange, add yourself with Permissions Administrator rights. Here is the MS explanation of what the roles are.  Hope this helps.  

Article ID: Q168753

AJC
0
 

Author Comment

by:gennifer
ID: 1622771
Oh darn! I've tried adding myself 'Gennifer' (I have admin rights), but an error message pops up: the dialog box is 'Microsoft Exchange Administrator' and the message displayed is:
'You do not have the permissions required to complete the operation'
'Microsoft Exchange Directory ID no DS_E_INSUFFICIENT_ACCESS_RIGHTS'
0
 
LVL 6

Expert Comment

by:reddarin
ID: 1622772
Hmmm. Do you know what account is the Exchange Service account? You can find that information by looking at the properties of the configuration container and clicking on the Service Account Password tab. That will show you the account being used as the Service Account.

Is that the account that you removed from the security context? If it was, put it back NOW. No kidding. Hurry.

Let me know.

Darin
0
 
LVL 6

Expert Comment

by:reddarin
ID: 1622773
You will have to log in as the Service Account to make those changes now. Can you view the properties of the configuration object?

Darin
0
 

Author Comment

by:gennifer
ID: 1622774
The only account in the Configuration Container is 'Exchange Services' with 'Service Account Admin.' rights. I believe that this should be the ONLY account for this container. Is this correct?
0
 
LVL 1

Expert Comment

by:ajcortez
ID: 1622775
When you log in to the Exchange Server are you logging in as you or something like Administrator?
If that's the case, then  add Administrator as Permissions Admin and Service Account
0
 

Author Comment

by:gennifer
ID: 1622776
I log into the Exchange Server as Administrator
0
 
LVL 6

Expert Comment

by:reddarin
ID: 1622777
gennifer,

You are correct. The Exchange Service account is the only account that *must* be in that context.

However, in order to administer the server, you should create a new NT account.

From User Manager for Domains, make sure you are connected to the accounts domain (that should be the default) rather than the local machine. Select the Administrator account and hit F8. This creates a copy of the Administrator account. Name the new account something like ExAdmin, or whatever. If you are very security conscious you could call it something less conspicuous like ‘Fred Garvin’. Give the account your super-secret alphanumeric password.

Open the Exchange administrator program and put the new account into the 3 security context with Permissions Admin rights. Use this account to administer Exchange.

You should be good to go at this point.

Darin

0
 
LVL 6

Expert Comment

by:reddarin
ID: 1622778
And, by the way, you may need to give the new account the right to log on locally to the Exchange server. At the job I just left, we always had Domain Admins with the right to log on locally. The domain Administrator account was a member of Domain Admins.

Darin
0
 

Author Comment

by:gennifer
ID: 1622779
Will do. Thank you so much for your help and in-depth knowledge.

;~)
0
 
LVL 6

Expert Comment

by:reddarin
ID: 1622780
My pleasure :)

Get ajcortez to re-post his comment about the security context as the answer. You can award him/her the points and we can close this puppy.

Darin
0
 
LVL 1

Accepted Solution

by:
ajcortez earned 50 total points
ID: 1622781
So it WAS in the container settings after all. Darin deserves a share for hisr excellent details. So, I'll gladly accept gennifer's points, unless she wishes to give them to reddarin for spiking home my volley. In that case just reject this, gennifer and accept an answer from reddarin.   I'll go with it either way.

If you do accept this gennifer, and darin does want to share the points, I'll post a question for you to answer and receive your part.

At long last... victory.

AJC
0
 

Author Comment

by:gennifer
ID: 1622782
Keep up the great work!
0
 
LVL 6

Expert Comment

by:reddarin
ID: 1622783
AJC,

Nah, you get the prize for being first on with the answer. I don't mind helping out with some of the finer details of your answer.

Darin
0
 
LVL 1

Expert Comment

by:ajcortez
ID: 1622784
Thanks gennifer, now don't let anyone touch that server EVER again :)
Darin, you're a gentleman and a scholar.
Now let's all go home.

AJC
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question