Solved

Exchange Permissions...

Posted on 2002-06-24
21
241 Views
Last Modified: 2010-03-05
I had a consultant install Exchange2k on a server and it seems he has all my administrtive/system accounts all messed up.

For instance, any one can add anyone eles to outlook and check thier mail... not good.

Any ideas how I can set everything back to default, or at least fix my current problem?

Thanks in Advance,
ATM
0
Comment
Question by:atmear
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
21 Comments
 
LVL 10

Expert Comment

by:kevala
ID: 7107537
Check the mailbox store properties, on the security tab, see what kind of permissions the authenticated users group, the everyone group, or the domain users group have.
If any of the above groups have full control, that will be the symptom.

Hope this helps!
0
 

Author Comment

by:atmear
ID: 7107951
Well,

It seems the "Authernticated Users" in the security tab doesn't have Full Control... but it seems that they may have too much control. What would be the correct setting(s) for this type of user group?

Thank You
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108159
By default, the Authenticated Users do not have ANY permissions on the mailbox store....
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:atmear
ID: 7108351
Soooo.... should I remove them? and at that note, it seems they are actually inharited...
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108375
Remove the Authenticated Users group from the mailbox store, by default it is not there, and i'm not sure why they would be. I hope they weren't delegated rights at the organization level, if so, i wonder why......
0
 

Author Comment

by:atmear
ID: 7108389
I am going to do that now.... No telling why they were added in. Any idea what could or may happen by this change if it was delegated at the organizational level? Or in other words, do you have any words of advise to give prior to me pulling that out?
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108519
Well i can tell you that my 20 VM's, three lab servers, and all my customer's server do not have the Authenticated Users group or the domain users group with permissions specified on the mailbox store.....and they all run fine. Now i don't know why it was added there, that's why i was saying "by default" - but if the authenticated users have permissions on the mailbox store, that means they have those rights on ANY mailbox on that store.....
0
 

Author Comment

by:atmear
ID: 7108562
HEY... It's you again... hehehehe

I am removing it now!
0
 

Author Comment

by:atmear
ID: 7108571
Alrighty... not sure how fast the change should have worked after pulling out the Auth. Users... but I will still able to go to another standard users computer, and say Open, users folder, type in another associates name and it came right up....
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108775
They have rights somewhere, i'm guessing it's not at the mailbox level though. My suggestion would be to ensure that there are no uneccessary groups on the mailbox store with any unusual rights. Like the domain users, authenticated users, groups that those users are a member of.....
0
 
LVL 10

Expert Comment

by:kevala
ID: 7108821
They have rights somewhere, i'm guessing it's not at the mailbox level though. My suggestion would be to ensure that there are no uneccessary groups on the mailbox store with any unusual rights. Like the domain users, authenticated users, groups that those users are a member of.....
0
 

Author Comment

by:atmear
ID: 7108916
After taking that out, users are now complaining they do not have rights to log in.... not good....

What are your suggestions... It is obvious this is completely setup wrong...

Let me know

TY
0
 

Author Comment

by:atmear
ID: 7108924
The accounts in that security tab are as follows:

NetAdmin
Server Operators (TT-GAMMA\Server Operators)
TT-GAMMA$ (edited name\TT-GAMMA$)

The first one (netadmin)is the main Enterprise Admin privliged Admin account.

That is all that is in there....
0
 

Author Comment

by:atmear
ID: 7108961
I went ahead and added it back.... so users would work again.... Dohhh
0
 
LVL 10

Expert Comment

by:kevala
ID: 7109019
Are the three accounts listed above the only ones there????????
0
 

Author Comment

by:atmear
ID: 7110445
Yes... They are the only one's listed directly on the store. If I goto the organization, there quite abit more. I will get those and list them shortly.
0
 

Author Comment

by:atmear
ID: 7112013
on a side note... the recieving of email is very slow.... sending is fine.
0
 
LVL 10

Accepted Solution

by:
kevala earned 150 total points
ID: 7118734
Here are the default permissions on the mailbox store....

Administrator - Full Control / minus send as and receive as
Domain Admins - Everything but Full Control and send as /received

Enterprise Admins - Full Control minus send as and receive as

Everyone - Creat named properties in the information store

Exchange Domain Servers:
Read
Execute
Read permissions
Create children
List contents
Read properties
Open mail send queue
Administer information store
Create named properties in the information store
View information store status
Receive As
Send As

Exchange Services (group) - FULL Control
Machine account - FULL Control


if this helps....you'll see that authenticated users and domain users do not get applied any kind of permissions directly on the store - other than the everyone group getting that one right......
0
 
LVL 10

Expert Comment

by:kevala
ID: 7128217
atmear, how's it going?
0
 

Author Comment

by:atmear
ID: 7132705
I have not had a chance to get back into this... stuck on a cisco project. I actually, got approval to purchase a 6 incident pack of MS support. But... for some reason the stinking web site will not let me purchase them... hummmm...
0
 

Author Comment

by:atmear
ID: 7275217
Sorry for the time it took to reward these points...

For all other reviewing this PAQ... What my problem boiled down to was that my permissions were just all wrong... After 2 or three reinstalls and or complete rebuilds, I got my permissions back into shape.

0

Featured Post

Office 365 Advanced Training for Admins

Special Offer:  Buy 1 course, get 2nd free!  Buy the 'Managing Office 365 Identities & Requirements' course w/ Accelerated TestPrep, and automatically receive the 'Enabling Office 365 Services' course FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This article explains how to install and use the NTBackup utility that comes with Windows Server.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question