Inherited Mailbox Rights

This question is a variation on the Mailbox Rights question.

Upgraded from Exchange 5.5 to Echange 2003, all users have read access to each others mailbox.

Active Directory Users and Computers, User Properties, Exchange Advanced, Mailbox Permissions shows
 Authentificated Users have Full Mail Rights,
 Everyone has Read and
 Anonymous Logon has Read.

There are about 300 users of exchange therefore any solution has to be a 'global one'

All these permissions are inherited from the Organisation Level in Exchange System Manager.

The goal is users can only read their own mailbox unless given specific read permission through Delegation in Outlook
I tried setting deny permission for Everyone on one mailbox but that locked the user out as well!

What permissions are required for Exchange to work and users to be able to read their own mail only?

Who is Participating?
ikm7176Sr. IT ManagerCommented:
If you modify the default permissions on mailbox stores and public folder stores in Exchange 2000 Server or in Exchange Server 2003, make sure that you maintain the following minimum permissions:

Administrators group:            Full Control

Authenticated Users group:   Read and Execute, List Folder Contents, and Read

Creator Owner:                      None

Server Operators group:        Modify, Read and Execute, List Folder Contents, Read, and Write

System account:                    Full Control

When you create a new mailbox, Exchange uses information from the mailbox store to create the default permissions for the new mailbox. The default folders in the new mailbox inherit permissions from the mailbox itself. Users can modify the permissions on folders in their mailbox using Outlook. Outlook uses MAPI permissions, which Exchange automatically converts to Windows 2000 permissions when it is storing the changes.
Although you can use Exchange System Manager to delete or move mailboxes, you cannot use it to access mailbox content or mailbox-related attributes of the user. Use Active Directory Users and Computers to perform administrative tasks on the Exchange-related attributes of user objects. In addition, you must use Active Directory Users and Computers to give users permission to access the mailbox itself,
beechcroftAuthor Commented:
If I get the implications of your answer, the permission that is giving all users read access to all mailboxes is the Everyone Read permission. I also cannot think of a good idea why Anonymous Login should have access.

I will try removing the Everyone Read and see what happens.

I have recently made a huge mistake by changing the everyone security permissions on our live mailbox store to deny and unchecked the option to allow inheritable permissions from parent to propigate to this object. As a result of this all 150 users within the company have lost access to there email. The mailbox store is not visible now under exchange system manager. I can however access the first storage group permissions but tweaking the permissions on the first storage group does not seem to bring back the store in system enterprise manager. The server is runnig windows 2000 and the exchange version is exchange 2000. I would greatly appreciate any ideas as quick as possible as my job is on the line. Thanks

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

ikm7176Sr. IT ManagerCommented:
Hi Timmons,

Use the ADSI utility to reset the permissions under configuration container.
That worked thanks ikm7176
ikm7176Sr. IT ManagerCommented:
Glad that it worked for you .
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.