Everyone group permission for the mailbox store

Hey all,

      I have an enviroment consisting of an exchang 5.5 and an exchange 2000 server with ADC running during our migration. While migrating mailboxes we noticed that the users are able to access others. After checking permissions I found that the mailbox rights on the Advanced Exchange properties of the user in AD had the everyone group with inherite permissions.

     I have been able to trace the permissions back to the mailbox store. This seems to be where they where added.

    My questions are:

          Is this something that the ADC or mixed mode has done for the purpose of the migration and once removed and set to native mode will be corrected? Or do I have to go and beat someone in the admin group for adding permissions that should not be there? If the later is the case. Is there ANY permissions for the everyone group at this level normally?

      Let me know if anyone has any info on this. From the searches through the maze at microsoft I can seem to get a strat answer.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Everyone does have some permissions on the mailbox store. These should be "special" and should not be removed.
Being able to open everyone's mailbox is not by design, so something has been changed. Perhaps a group has been given the wrong permissions, everyone has been added to another group that has the global permissions.
I have seen things like "everyone" added to domain admins before.
Don't just look for "everyone", also look for permissions on "Authenticated Users" or any other groups where there is a large membership list.

GrayconAuthor Commented:
Hey Simon,

    I have checked other groups and locations to ensure that is still correct. This seems to be isolated to the actual "everyone" group. When I check the security tab for the properties of the mailbox store. I see the everyone group and a whole bunch of permissions.  know on a clean install of Exchange 2003 that at that point the everyone group is listed but only has "Create name properties" and "Special". Exchange 2000 does not have a listing for special at this point unlike 2003. It does have the "Create name properties" and that is selected. But several other options are aloso selected.

   I just don't know if that was something the system needs for proper operation during the migration or if someone on the admin group made a mistake.

The migration shouldn't need those permissions as the migration is done with an account that has the required permissions (domain admin usually). I cannot think of any reason for everyone to be give the additional permissions, unless someone has made a mistake or was trying to replicate the "service account" permission (a very common request).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GrayconAuthor Commented:
Hmmmm ..... that's what I thought.  Just wanted to make sure someone else was thinking the same and there wasn't something I was overlooking.

Thanx for you input.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.