Solved

Exchange Permissions...

Posted on 2002-06-24
21
235 Views
Last Modified: 2010-03-05
I had a consultant install Exchange2k on a server and it seems he has all my administrtive/system accounts all messed up.

For instance, any one can add anyone eles to outlook and check thier mail... not good.

Any ideas how I can set everything back to default, or at least fix my current problem?

Thanks in Advance,
ATM
0
Comment
Question by:atmear
  • 12
  • 9
21 Comments
 
LVL 10

Expert Comment

by:kevala
ID: 7107537
Check the mailbox store properties, on the security tab, see what kind of permissions the authenticated users group, the everyone group, or the domain users group have.
If any of the above groups have full control, that will be the symptom.

Hope this helps!
0
 

Author Comment

by:atmear
ID: 7107951
Well,

It seems the "Authernticated Users" in the security tab doesn't have Full Control... but it seems that they may have too much control. What would be the correct setting(s) for this type of user group?

Thank You
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108159
By default, the Authenticated Users do not have ANY permissions on the mailbox store....
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:atmear
ID: 7108351
Soooo.... should I remove them? and at that note, it seems they are actually inharited...
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108375
Remove the Authenticated Users group from the mailbox store, by default it is not there, and i'm not sure why they would be. I hope they weren't delegated rights at the organization level, if so, i wonder why......
0
 

Author Comment

by:atmear
ID: 7108389
I am going to do that now.... No telling why they were added in. Any idea what could or may happen by this change if it was delegated at the organizational level? Or in other words, do you have any words of advise to give prior to me pulling that out?
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108519
Well i can tell you that my 20 VM's, three lab servers, and all my customer's server do not have the Authenticated Users group or the domain users group with permissions specified on the mailbox store.....and they all run fine. Now i don't know why it was added there, that's why i was saying "by default" - but if the authenticated users have permissions on the mailbox store, that means they have those rights on ANY mailbox on that store.....
0
 

Author Comment

by:atmear
ID: 7108562
HEY... It's you again... hehehehe

I am removing it now!
0
 

Author Comment

by:atmear
ID: 7108571
Alrighty... not sure how fast the change should have worked after pulling out the Auth. Users... but I will still able to go to another standard users computer, and say Open, users folder, type in another associates name and it came right up....
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108775
They have rights somewhere, i'm guessing it's not at the mailbox level though. My suggestion would be to ensure that there are no uneccessary groups on the mailbox store with any unusual rights. Like the domain users, authenticated users, groups that those users are a member of.....
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108821
They have rights somewhere, i'm guessing it's not at the mailbox level though. My suggestion would be to ensure that there are no uneccessary groups on the mailbox store with any unusual rights. Like the domain users, authenticated users, groups that those users are a member of.....
0
 

Author Comment

by:atmear
ID: 7108916
After taking that out, users are now complaining they do not have rights to log in.... not good....

What are your suggestions... It is obvious this is completely setup wrong...

Let me know

TY
0
 

Author Comment

by:atmear
ID: 7108924
The accounts in that security tab are as follows:

NetAdmin
Server Operators (TT-GAMMA\Server Operators)
TT-GAMMA$ (edited name\TT-GAMMA$)

The first one (netadmin)is the main Enterprise Admin privliged Admin account.

That is all that is in there....
0
 

Author Comment

by:atmear
ID: 7108961
I went ahead and added it back.... so users would work again.... Dohhh
0
 
LVL 10

Expert Comment

by:kevala
ID: 7109019
Are the three accounts listed above the only ones there????????
0
 

Author Comment

by:atmear
ID: 7110445
Yes... They are the only one's listed directly on the store. If I goto the organization, there quite abit more. I will get those and list them shortly.
0
 

Author Comment

by:atmear
ID: 7112013
on a side note... the recieving of email is very slow.... sending is fine.
0
 
LVL 10

Accepted Solution

by:
kevala earned 150 total points
ID: 7118734
Here are the default permissions on the mailbox store....

Administrator - Full Control / minus send as and receive as
Domain Admins - Everything but Full Control and send as /received

Enterprise Admins - Full Control minus send as and receive as

Everyone - Creat named properties in the information store

Exchange Domain Servers:
Read
Execute
Read permissions
Create children
List contents
Read properties
Open mail send queue
Administer information store
Create named properties in the information store
View information store status
Receive As
Send As

Exchange Services (group) - FULL Control
Machine account - FULL Control


if this helps....you'll see that authenticated users and domain users do not get applied any kind of permissions directly on the store - other than the everyone group getting that one right......
0
 
LVL 10

Expert Comment

by:kevala
ID: 7128217
atmear, how's it going?
0
 

Author Comment

by:atmear
ID: 7132705
I have not had a chance to get back into this... stuck on a cisco project. I actually, got approval to purchase a 6 incident pack of MS support. But... for some reason the stinking web site will not let me purchase them... hummmm...
0
 

Author Comment

by:atmear
ID: 7275217
Sorry for the time it took to reward these points...

For all other reviewing this PAQ... What my problem boiled down to was that my permissions were just all wrong... After 2 or three reinstalls and or complete rebuilds, I got my permissions back into shape.

0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
how to add IIS SMTP to handle application/Scanner relays into office 365.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question