Everyone group permission for the mailbox store

Posted on 2004-12-01
Last Modified: 2008-03-04
Hey all,

      I have an enviroment consisting of an exchang 5.5 and an exchange 2000 server with ADC running during our migration. While migrating mailboxes we noticed that the users are able to access others. After checking permissions I found that the mailbox rights on the Advanced Exchange properties of the user in AD had the everyone group with inherite permissions.

     I have been able to trace the permissions back to the mailbox store. This seems to be where they where added.

    My questions are:

          Is this something that the ADC or mixed mode has done for the purpose of the migration and once removed and set to native mode will be corrected? Or do I have to go and beat someone in the admin group for adding permissions that should not be there? If the later is the case. Is there ANY permissions for the everyone group at this level normally?

      Let me know if anyone has any info on this. From the searches through the maze at microsoft I can seem to get a strat answer.

Question by:Graycon
    LVL 104

    Expert Comment

    Everyone does have some permissions on the mailbox store. These should be "special" and should not be removed.
    Being able to open everyone's mailbox is not by design, so something has been changed. Perhaps a group has been given the wrong permissions, everyone has been added to another group that has the global permissions.
    I have seen things like "everyone" added to domain admins before.
    Don't just look for "everyone", also look for permissions on "Authenticated Users" or any other groups where there is a large membership list.


    Author Comment

    Hey Simon,

        I have checked other groups and locations to ensure that is still correct. This seems to be isolated to the actual "everyone" group. When I check the security tab for the properties of the mailbox store. I see the everyone group and a whole bunch of permissions.  know on a clean install of Exchange 2003 that at that point the everyone group is listed but only has "Create name properties" and "Special". Exchange 2000 does not have a listing for special at this point unlike 2003. It does have the "Create name properties" and that is selected. But several other options are aloso selected.

       I just don't know if that was something the system needs for proper operation during the migration or if someone on the admin group made a mistake.

    LVL 104

    Accepted Solution

    The migration shouldn't need those permissions as the migration is done with an account that has the required permissions (domain admin usually). I cannot think of any reason for everyone to be give the additional permissions, unless someone has made a mistake or was trying to replicate the "service account" permission (a very common request).


    Author Comment

    Hmmmm ..... that's what I thought.  Just wanted to make sure someone else was thinking the same and there wasn't something I was overlooking.

    Thanx for you input.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Want to promote your upcoming event?

    Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

    "Migrate" an SMTP relay receive connector to a new server using info from an old server.
    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
    In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now