• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 248
  • Last Modified:

Exchange Permissions...

I had a consultant install Exchange2k on a server and it seems he has all my administrtive/system accounts all messed up.

For instance, any one can add anyone eles to outlook and check thier mail... not good.

Any ideas how I can set everything back to default, or at least fix my current problem?

Thanks in Advance,
ATM
0
atmear
Asked:
atmear
  • 12
  • 9
1 Solution
 
kevalaCommented:
Check the mailbox store properties, on the security tab, see what kind of permissions the authenticated users group, the everyone group, or the domain users group have.
If any of the above groups have full control, that will be the symptom.

Hope this helps!
0
 
atmearAuthor Commented:
Well,

It seems the "Authernticated Users" in the security tab doesn't have Full Control... but it seems that they may have too much control. What would be the correct setting(s) for this type of user group?

Thank You
0
 
kevalaCommented:
By default, the Authenticated Users do not have ANY permissions on the mailbox store....
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
atmearAuthor Commented:
Soooo.... should I remove them? and at that note, it seems they are actually inharited...
0
 
kevalaCommented:
Remove the Authenticated Users group from the mailbox store, by default it is not there, and i'm not sure why they would be. I hope they weren't delegated rights at the organization level, if so, i wonder why......
0
 
atmearAuthor Commented:
I am going to do that now.... No telling why they were added in. Any idea what could or may happen by this change if it was delegated at the organizational level? Or in other words, do you have any words of advise to give prior to me pulling that out?
0
 
kevalaCommented:
Well i can tell you that my 20 VM's, three lab servers, and all my customer's server do not have the Authenticated Users group or the domain users group with permissions specified on the mailbox store.....and they all run fine. Now i don't know why it was added there, that's why i was saying "by default" - but if the authenticated users have permissions on the mailbox store, that means they have those rights on ANY mailbox on that store.....
0
 
atmearAuthor Commented:
HEY... It's you again... hehehehe

I am removing it now!
0
 
atmearAuthor Commented:
Alrighty... not sure how fast the change should have worked after pulling out the Auth. Users... but I will still able to go to another standard users computer, and say Open, users folder, type in another associates name and it came right up....
0
 
kevalaCommented:
They have rights somewhere, i'm guessing it's not at the mailbox level though. My suggestion would be to ensure that there are no uneccessary groups on the mailbox store with any unusual rights. Like the domain users, authenticated users, groups that those users are a member of.....
0
 
kevalaCommented:
They have rights somewhere, i'm guessing it's not at the mailbox level though. My suggestion would be to ensure that there are no uneccessary groups on the mailbox store with any unusual rights. Like the domain users, authenticated users, groups that those users are a member of.....
0
 
atmearAuthor Commented:
After taking that out, users are now complaining they do not have rights to log in.... not good....

What are your suggestions... It is obvious this is completely setup wrong...

Let me know

TY
0
 
atmearAuthor Commented:
The accounts in that security tab are as follows:

NetAdmin
Server Operators (TT-GAMMA\Server Operators)
TT-GAMMA$ (edited name\TT-GAMMA$)

The first one (netadmin)is the main Enterprise Admin privliged Admin account.

That is all that is in there....
0
 
atmearAuthor Commented:
I went ahead and added it back.... so users would work again.... Dohhh
0
 
kevalaCommented:
Are the three accounts listed above the only ones there????????
0
 
atmearAuthor Commented:
Yes... They are the only one's listed directly on the store. If I goto the organization, there quite abit more. I will get those and list them shortly.
0
 
atmearAuthor Commented:
on a side note... the recieving of email is very slow.... sending is fine.
0
 
kevalaCommented:
Here are the default permissions on the mailbox store....

Administrator - Full Control / minus send as and receive as
Domain Admins - Everything but Full Control and send as /received

Enterprise Admins - Full Control minus send as and receive as

Everyone - Creat named properties in the information store

Exchange Domain Servers:
Read
Execute
Read permissions
Create children
List contents
Read properties
Open mail send queue
Administer information store
Create named properties in the information store
View information store status
Receive As
Send As

Exchange Services (group) - FULL Control
Machine account - FULL Control


if this helps....you'll see that authenticated users and domain users do not get applied any kind of permissions directly on the store - other than the everyone group getting that one right......
0
 
kevalaCommented:
atmear, how's it going?
0
 
atmearAuthor Commented:
I have not had a chance to get back into this... stuck on a cisco project. I actually, got approval to purchase a 6 incident pack of MS support. But... for some reason the stinking web site will not let me purchase them... hummmm...
0
 
atmearAuthor Commented:
Sorry for the time it took to reward these points...

For all other reviewing this PAQ... What my problem boiled down to was that my permissions were just all wrong... After 2 or three reinstalls and or complete rebuilds, I got my permissions back into shape.

0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 12
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now