Need to turn off Inherited Permissions on Exchange Mailboxes. Users are able to open all mailboxes!

I am running sbs 2003 and using Exchange for mail.  The users were setup originally with all of the usual permissions....no random security groups.  It has come to my attention that the users are now able to open each others mailboxes via outlook.  When I check the permissions in Active Directory Users, Everyone and Anonymous Logon have read rights and Domain Users have read, change, ownership and full mailbox rights.  These rights are inherited from parent object and are greyed out so that i cannot change.  the really weird thing is that when i create a new user, these 'inherited rights' don't show up... only Self w/ the normal rights.  What is the parent object that is passing these rights down?? I have tried everything I can think of (turning off propogation from mail store, etc......)
Please help I am desperately needing to lock this down!!
kimtealAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mattridingsCommented:
Are you positive that your users have not been manually setting permissions inside of Outlook? (i.e are you sure that *every* user has *exactly* the same permissions, as would be the case in a global change from an administrator?)

Matt Ridings
MSR Consulting
0
mattridingsCommented:
By the way, are you adept at basic scripted programming languages?  I have some useful code for examining and modifying user access permissions (came from MS, I just modified it to my needs) to other mailboxes but you'd definitely need to be skilled in visual basic and adsi constructs to use it.

Most of what it does though can still be done through the active directory computers and users interface, you just have to do it one by one in that case.

Anyway, since you are wanting to modify rights it might be helpful to see what the rights are on a SBS 2003 installation (this is with all patches applied *except* Exchange SP2).  I'd be happy to take screenshots of an existing installation for you if it would help....email me at ***email address deleted by EE Page Editor ** since I can't post images here....but in general it's the "Domain Users" permissions in your stated list that should not exist.  The Everyone and Anonymous accounts actually do have permissions on the mailbox (but very limited through a combination of Deny/Allow rules) so those are probably ok but hard to say without seeing if they've been modified.

Matt Ridings
MSR Consulting



0
mattridingsCommented:
Oh yeah, forgot to answer your question about 'where' the parent object was that they were inheriting from.

It's the mailbox store in Exchange.  Go into Exchange System Manager, go to your server, go to your storage group, right click on the mailbox store, go to 'Security' and you should see the permissions that you want to modify.  If "Domain Users" is in there you can definitely delete it.

Note:  Security/Permissions on Exchange objects and ACL lists can be very complex...and if done improperly can totally screw up a system by getting two different security mechanisms out of sync.  In general if you use Exchange System Manager, and AD users and computers, to make modifications to objects related to Exchange you are typically ok.  If you need to go deeper to the ADSI level and make modifications just be warned that you'd better know exactly what you are doing.

Matt Ridings
MSR Consulting
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

mattridingsCommented:
*Sigh* - One more post...

To your point regarding why a 'new' user that you created did not have these inherited rights...

The mailbox in the Exchange Store isn't actually created until that user logs in to their mailbox for the first time.  So when you look at their permissions prior to that point, they don't exist because the mailbox itself doesn't exist.

If you log into email with that new account I think you'll find that all of a sudden those inherited permissions show up.

Matt Ridings
MSR Consulting
0
kimtealAuthor Commented:
Thank you sooo much Matt.
you were dead on..... domain users was in the mail store w/ full rights.
THANK YOU!!
0
mattridingsCommented:
Glad to have helped
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.