Everyone group permission for the mailbox store

Posted on 2004-12-01
Medium Priority
Last Modified: 2008-03-04
Hey all,

      I have an enviroment consisting of an exchang 5.5 and an exchange 2000 server with ADC running during our migration. While migrating mailboxes we noticed that the users are able to access others. After checking permissions I found that the mailbox rights on the Advanced Exchange properties of the user in AD had the everyone group with inherite permissions.

     I have been able to trace the permissions back to the mailbox store. This seems to be where they where added.

    My questions are:

          Is this something that the ADC or mixed mode has done for the purpose of the migration and once removed and set to native mode will be corrected? Or do I have to go and beat someone in the admin group for adding permissions that should not be there? If the later is the case. Is there ANY permissions for the everyone group at this level normally?

      Let me know if anyone has any info on this. From the searches through the maze at microsoft I can seem to get a strat answer.

Question by:Graycon
  • 2
  • 2
LVL 104

Expert Comment

ID: 12719644
Everyone does have some permissions on the mailbox store. These should be "special" and should not be removed.
Being able to open everyone's mailbox is not by design, so something has been changed. Perhaps a group has been given the wrong permissions, everyone has been added to another group that has the global permissions.
I have seen things like "everyone" added to domain admins before.
Don't just look for "everyone", also look for permissions on "Authenticated Users" or any other groups where there is a large membership list.


Author Comment

ID: 12719912
Hey Simon,

    I have checked other groups and locations to ensure that is still correct. This seems to be isolated to the actual "everyone" group. When I check the security tab for the properties of the mailbox store. I see the everyone group and a whole bunch of permissions.  know on a clean install of Exchange 2003 that at that point the everyone group is listed but only has "Create name properties" and "Special". Exchange 2000 does not have a listing for special at this point unlike 2003. It does have the "Create name properties" and that is selected. But several other options are aloso selected.

   I just don't know if that was something the system needs for proper operation during the migration or if someone on the admin group made a mistake.

LVL 104

Accepted Solution

Sembee earned 1500 total points
ID: 12720443
The migration shouldn't need those permissions as the migration is done with an account that has the required permissions (domain admin usually). I cannot think of any reason for everyone to be give the additional permissions, unless someone has made a mistake or was trying to replicate the "service account" permission (a very common request).


Author Comment

ID: 12720701
Hmmmm ..... that's what I thought.  Just wanted to make sure someone else was thinking the same and there wasn't something I was overlooking.

Thanx for you input.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question