Solved

Exchange Permissions...

Posted on 2002-06-24
21
205 Views
Last Modified: 2010-03-05
I had a consultant install Exchange2k on a server and it seems he has all my administrtive/system accounts all messed up.

For instance, any one can add anyone eles to outlook and check thier mail... not good.

Any ideas how I can set everything back to default, or at least fix my current problem?

Thanks in Advance,
ATM
0
Comment
Question by:atmear
  • 12
  • 9
21 Comments
 
LVL 10

Expert Comment

by:kevala
ID: 7107537
Check the mailbox store properties, on the security tab, see what kind of permissions the authenticated users group, the everyone group, or the domain users group have.
If any of the above groups have full control, that will be the symptom.

Hope this helps!
0
 

Author Comment

by:atmear
ID: 7107951
Well,

It seems the "Authernticated Users" in the security tab doesn't have Full Control... but it seems that they may have too much control. What would be the correct setting(s) for this type of user group?

Thank You
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108159
By default, the Authenticated Users do not have ANY permissions on the mailbox store....
0
 

Author Comment

by:atmear
ID: 7108351
Soooo.... should I remove them? and at that note, it seems they are actually inharited...
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108375
Remove the Authenticated Users group from the mailbox store, by default it is not there, and i'm not sure why they would be. I hope they weren't delegated rights at the organization level, if so, i wonder why......
0
 

Author Comment

by:atmear
ID: 7108389
I am going to do that now.... No telling why they were added in. Any idea what could or may happen by this change if it was delegated at the organizational level? Or in other words, do you have any words of advise to give prior to me pulling that out?
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108519
Well i can tell you that my 20 VM's, three lab servers, and all my customer's server do not have the Authenticated Users group or the domain users group with permissions specified on the mailbox store.....and they all run fine. Now i don't know why it was added there, that's why i was saying "by default" - but if the authenticated users have permissions on the mailbox store, that means they have those rights on ANY mailbox on that store.....
0
 

Author Comment

by:atmear
ID: 7108562
HEY... It's you again... hehehehe

I am removing it now!
0
 

Author Comment

by:atmear
ID: 7108571
Alrighty... not sure how fast the change should have worked after pulling out the Auth. Users... but I will still able to go to another standard users computer, and say Open, users folder, type in another associates name and it came right up....
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108775
They have rights somewhere, i'm guessing it's not at the mailbox level though. My suggestion would be to ensure that there are no uneccessary groups on the mailbox store with any unusual rights. Like the domain users, authenticated users, groups that those users are a member of.....
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 10

Expert Comment

by:kevala
ID: 7108821
They have rights somewhere, i'm guessing it's not at the mailbox level though. My suggestion would be to ensure that there are no uneccessary groups on the mailbox store with any unusual rights. Like the domain users, authenticated users, groups that those users are a member of.....
0
 

Author Comment

by:atmear
ID: 7108916
After taking that out, users are now complaining they do not have rights to log in.... not good....

What are your suggestions... It is obvious this is completely setup wrong...

Let me know

TY
0
 

Author Comment

by:atmear
ID: 7108924
The accounts in that security tab are as follows:

NetAdmin
Server Operators (TT-GAMMA\Server Operators)
TT-GAMMA$ (edited name\TT-GAMMA$)

The first one (netadmin)is the main Enterprise Admin privliged Admin account.

That is all that is in there....
0
 

Author Comment

by:atmear
ID: 7108961
I went ahead and added it back.... so users would work again.... Dohhh
0
 
LVL 10

Expert Comment

by:kevala
ID: 7109019
Are the three accounts listed above the only ones there????????
0
 

Author Comment

by:atmear
ID: 7110445
Yes... They are the only one's listed directly on the store. If I goto the organization, there quite abit more. I will get those and list them shortly.
0
 

Author Comment

by:atmear
ID: 7112013
on a side note... the recieving of email is very slow.... sending is fine.
0
 
LVL 10

Accepted Solution

by:
kevala earned 150 total points
ID: 7118734
Here are the default permissions on the mailbox store....

Administrator - Full Control / minus send as and receive as
Domain Admins - Everything but Full Control and send as /received

Enterprise Admins - Full Control minus send as and receive as

Everyone - Creat named properties in the information store

Exchange Domain Servers:
Read
Execute
Read permissions
Create children
List contents
Read properties
Open mail send queue
Administer information store
Create named properties in the information store
View information store status
Receive As
Send As

Exchange Services (group) - FULL Control
Machine account - FULL Control


if this helps....you'll see that authenticated users and domain users do not get applied any kind of permissions directly on the store - other than the everyone group getting that one right......
0
 
LVL 10

Expert Comment

by:kevala
ID: 7128217
atmear, how's it going?
0
 

Author Comment

by:atmear
ID: 7132705
I have not had a chance to get back into this... stuck on a cisco project. I actually, got approval to purchase a 6 incident pack of MS support. But... for some reason the stinking web site will not let me purchase them... hummmm...
0
 

Author Comment

by:atmear
ID: 7275217
Sorry for the time it took to reward these points...

For all other reviewing this PAQ... What my problem boiled down to was that my permissions were just all wrong... After 2 or three reinstalls and or complete rebuilds, I got my permissions back into shape.

0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Resolve DNS query failed errors for Exchange
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now