Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Inherited Mailbox Rights

Posted on 2005-04-23
Medium Priority
Last Modified: 2011-12-22
This question is a variation on the Mailbox Rights question.

Upgraded from Exchange 5.5 to Echange 2003, all users have read access to each others mailbox.

Active Directory Users and Computers, User Properties, Exchange Advanced, Mailbox Permissions shows
 Authentificated Users have Full Mail Rights,
 Everyone has Read and
 Anonymous Logon has Read.

There are about 300 users of exchange therefore any solution has to be a 'global one'

All these permissions are inherited from the Organisation Level in Exchange System Manager.

The goal is users can only read their own mailbox unless given specific read permission through Delegation in Outlook
I tried setting deny permission for Everyone on one mailbox but that locked the user out as well!

What permissions are required for Exchange to work and users to be able to read their own mail only?

Question by:beechcroft
  • 4
  • 2
LVL 20

Accepted Solution

ikm7176 earned 1000 total points
ID: 13852942
If you modify the default permissions on mailbox stores and public folder stores in Exchange 2000 Server or in Exchange Server 2003, make sure that you maintain the following minimum permissions:

Administrators group:            Full Control

Authenticated Users group:   Read and Execute, List Folder Contents, and Read

Creator Owner:                      None

Server Operators group:        Modify, Read and Execute, List Folder Contents, Read, and Write

System account:                    Full Control

When you create a new mailbox, Exchange uses information from the mailbox store to create the default permissions for the new mailbox. The default folders in the new mailbox inherit permissions from the mailbox itself. Users can modify the permissions on folders in their mailbox using Outlook. Outlook uses MAPI permissions, which Exchange automatically converts to Windows 2000 permissions when it is storing the changes.
Although you can use Exchange System Manager to delete or move mailboxes, you cannot use it to access mailbox content or mailbox-related attributes of the user. Use Active Directory Users and Computers to perform administrative tasks on the Exchange-related attributes of user objects. In addition, you must use Active Directory Users and Computers to give users permission to access the mailbox itself,

Author Comment

ID: 13853343
If I get the implications of your answer, the permission that is giving all users read access to all mailboxes is the Everyone Read permission. I also cannot think of a good idea why Anonymous Login should have access.

I will try removing the Everyone Read and see what happens.


Expert Comment

ID: 14584071
I have recently made a huge mistake by changing the everyone security permissions on our live mailbox store to deny and unchecked the option to allow inheritable permissions from parent to propigate to this object. As a result of this all 150 users within the company have lost access to there email. The mailbox store is not visible now under exchange system manager. I can however access the first storage group permissions but tweaking the permissions on the first storage group does not seem to bring back the store in system enterprise manager. The server is runnig windows 2000 and the exchange version is exchange 2000. I would greatly appreciate any ideas as quick as possible as my job is on the line. Thanks

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 20

Expert Comment

ID: 14595550
Hi Timmons,

Use the ADSI utility to reset the permissions under configuration container.

Expert Comment

ID: 14606259
That worked thanks ikm7176
LVL 20

Expert Comment

ID: 14613731
Glad that it worked for you .

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question