?
Solved

Exchange Permissions...

Posted on 2002-06-24
21
Medium Priority
?
246 Views
Last Modified: 2010-03-05
I had a consultant install Exchange2k on a server and it seems he has all my administrtive/system accounts all messed up.

For instance, any one can add anyone eles to outlook and check thier mail... not good.

Any ideas how I can set everything back to default, or at least fix my current problem?

Thanks in Advance,
ATM
0
Comment
Question by:atmear
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
21 Comments
 
LVL 10

Expert Comment

by:kevala
ID: 7107537
Check the mailbox store properties, on the security tab, see what kind of permissions the authenticated users group, the everyone group, or the domain users group have.
If any of the above groups have full control, that will be the symptom.

Hope this helps!
0
 

Author Comment

by:atmear
ID: 7107951
Well,

It seems the "Authernticated Users" in the security tab doesn't have Full Control... but it seems that they may have too much control. What would be the correct setting(s) for this type of user group?

Thank You
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108159
By default, the Authenticated Users do not have ANY permissions on the mailbox store....
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:atmear
ID: 7108351
Soooo.... should I remove them? and at that note, it seems they are actually inharited...
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108375
Remove the Authenticated Users group from the mailbox store, by default it is not there, and i'm not sure why they would be. I hope they weren't delegated rights at the organization level, if so, i wonder why......
0
 

Author Comment

by:atmear
ID: 7108389
I am going to do that now.... No telling why they were added in. Any idea what could or may happen by this change if it was delegated at the organizational level? Or in other words, do you have any words of advise to give prior to me pulling that out?
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108519
Well i can tell you that my 20 VM's, three lab servers, and all my customer's server do not have the Authenticated Users group or the domain users group with permissions specified on the mailbox store.....and they all run fine. Now i don't know why it was added there, that's why i was saying "by default" - but if the authenticated users have permissions on the mailbox store, that means they have those rights on ANY mailbox on that store.....
0
 

Author Comment

by:atmear
ID: 7108562
HEY... It's you again... hehehehe

I am removing it now!
0
 

Author Comment

by:atmear
ID: 7108571
Alrighty... not sure how fast the change should have worked after pulling out the Auth. Users... but I will still able to go to another standard users computer, and say Open, users folder, type in another associates name and it came right up....
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108775
They have rights somewhere, i'm guessing it's not at the mailbox level though. My suggestion would be to ensure that there are no uneccessary groups on the mailbox store with any unusual rights. Like the domain users, authenticated users, groups that those users are a member of.....
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108821
They have rights somewhere, i'm guessing it's not at the mailbox level though. My suggestion would be to ensure that there are no uneccessary groups on the mailbox store with any unusual rights. Like the domain users, authenticated users, groups that those users are a member of.....
0
 

Author Comment

by:atmear
ID: 7108916
After taking that out, users are now complaining they do not have rights to log in.... not good....

What are your suggestions... It is obvious this is completely setup wrong...

Let me know

TY
0
 

Author Comment

by:atmear
ID: 7108924
The accounts in that security tab are as follows:

NetAdmin
Server Operators (TT-GAMMA\Server Operators)
TT-GAMMA$ (edited name\TT-GAMMA$)

The first one (netadmin)is the main Enterprise Admin privliged Admin account.

That is all that is in there....
0
 

Author Comment

by:atmear
ID: 7108961
I went ahead and added it back.... so users would work again.... Dohhh
0
 
LVL 10

Expert Comment

by:kevala
ID: 7109019
Are the three accounts listed above the only ones there????????
0
 

Author Comment

by:atmear
ID: 7110445
Yes... They are the only one's listed directly on the store. If I goto the organization, there quite abit more. I will get those and list them shortly.
0
 

Author Comment

by:atmear
ID: 7112013
on a side note... the recieving of email is very slow.... sending is fine.
0
 
LVL 10

Accepted Solution

by:
kevala earned 600 total points
ID: 7118734
Here are the default permissions on the mailbox store....

Administrator - Full Control / minus send as and receive as
Domain Admins - Everything but Full Control and send as /received

Enterprise Admins - Full Control minus send as and receive as

Everyone - Creat named properties in the information store

Exchange Domain Servers:
Read
Execute
Read permissions
Create children
List contents
Read properties
Open mail send queue
Administer information store
Create named properties in the information store
View information store status
Receive As
Send As

Exchange Services (group) - FULL Control
Machine account - FULL Control


if this helps....you'll see that authenticated users and domain users do not get applied any kind of permissions directly on the store - other than the everyone group getting that one right......
0
 
LVL 10

Expert Comment

by:kevala
ID: 7128217
atmear, how's it going?
0
 

Author Comment

by:atmear
ID: 7132705
I have not had a chance to get back into this... stuck on a cisco project. I actually, got approval to purchase a 6 incident pack of MS support. But... for some reason the stinking web site will not let me purchase them... hummmm...
0
 

Author Comment

by:atmear
ID: 7275217
Sorry for the time it took to reward these points...

For all other reviewing this PAQ... What my problem boiled down to was that my permissions were just all wrong... After 2 or three reinstalls and or complete rebuilds, I got my permissions back into shape.

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question