Inherited Mailbox Rights

Posted on 2005-04-23
Last Modified: 2011-12-22
This question is a variation on the Mailbox Rights question.

Upgraded from Exchange 5.5 to Echange 2003, all users have read access to each others mailbox.

Active Directory Users and Computers, User Properties, Exchange Advanced, Mailbox Permissions shows
 Authentificated Users have Full Mail Rights,
 Everyone has Read and
 Anonymous Logon has Read.

There are about 300 users of exchange therefore any solution has to be a 'global one'

All these permissions are inherited from the Organisation Level in Exchange System Manager.

The goal is users can only read their own mailbox unless given specific read permission through Delegation in Outlook
I tried setting deny permission for Everyone on one mailbox but that locked the user out as well!

What permissions are required for Exchange to work and users to be able to read their own mail only?

Question by:beechcroft
    LVL 20

    Accepted Solution

    If you modify the default permissions on mailbox stores and public folder stores in Exchange 2000 Server or in Exchange Server 2003, make sure that you maintain the following minimum permissions:

    Administrators group:            Full Control

    Authenticated Users group:   Read and Execute, List Folder Contents, and Read

    Creator Owner:                      None

    Server Operators group:        Modify, Read and Execute, List Folder Contents, Read, and Write

    System account:                    Full Control

    When you create a new mailbox, Exchange uses information from the mailbox store to create the default permissions for the new mailbox. The default folders in the new mailbox inherit permissions from the mailbox itself. Users can modify the permissions on folders in their mailbox using Outlook. Outlook uses MAPI permissions, which Exchange automatically converts to Windows 2000 permissions when it is storing the changes.
    Although you can use Exchange System Manager to delete or move mailboxes, you cannot use it to access mailbox content or mailbox-related attributes of the user. Use Active Directory Users and Computers to perform administrative tasks on the Exchange-related attributes of user objects. In addition, you must use Active Directory Users and Computers to give users permission to access the mailbox itself,

    Author Comment

    If I get the implications of your answer, the permission that is giving all users read access to all mailboxes is the Everyone Read permission. I also cannot think of a good idea why Anonymous Login should have access.

    I will try removing the Everyone Read and see what happens.


    Expert Comment

    I have recently made a huge mistake by changing the everyone security permissions on our live mailbox store to deny and unchecked the option to allow inheritable permissions from parent to propigate to this object. As a result of this all 150 users within the company have lost access to there email. The mailbox store is not visible now under exchange system manager. I can however access the first storage group permissions but tweaking the permissions on the first storage group does not seem to bring back the store in system enterprise manager. The server is runnig windows 2000 and the exchange version is exchange 2000. I would greatly appreciate any ideas as quick as possible as my job is on the line. Thanks

    LVL 20

    Expert Comment

    Hi Timmons,

    Use the ADSI utility to reset the permissions under configuration container.
    LVL 20

    Expert Comment


    Expert Comment

    That worked thanks ikm7176
    LVL 20

    Expert Comment

    Glad that it worked for you .

    Featured Post

    Shouldn't all users have the same email signature?

    You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

    Join & Write a Comment

    Email statistics and Mailbox database quotas You might have an interest in attaining information such as mailbox details, mailbox statistics and mailbox database details from Exchange server. At that point, knowing how to retrieve this information …
    We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
    In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
    In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now