Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1477
  • Last Modified:

Need to turn off Inherited Permissions on Exchange Mailboxes. Users are able to open all mailboxes!

I am running sbs 2003 and using Exchange for mail.  The users were setup originally with all of the usual permissions....no random security groups.  It has come to my attention that the users are now able to open each others mailboxes via outlook.  When I check the permissions in Active Directory Users, Everyone and Anonymous Logon have read rights and Domain Users have read, change, ownership and full mailbox rights.  These rights are inherited from parent object and are greyed out so that i cannot change.  the really weird thing is that when i create a new user, these 'inherited rights' don't show up... only Self w/ the normal rights.  What is the parent object that is passing these rights down?? I have tried everything I can think of (turning off propogation from mail store, etc......)
Please help I am desperately needing to lock this down!!
0
kimteal
Asked:
kimteal
  • 5
1 Solution
 
mattridingsCommented:
Are you positive that your users have not been manually setting permissions inside of Outlook? (i.e are you sure that *every* user has *exactly* the same permissions, as would be the case in a global change from an administrator?)

Matt Ridings
MSR Consulting
0
 
mattridingsCommented:
By the way, are you adept at basic scripted programming languages?  I have some useful code for examining and modifying user access permissions (came from MS, I just modified it to my needs) to other mailboxes but you'd definitely need to be skilled in visual basic and adsi constructs to use it.

Most of what it does though can still be done through the active directory computers and users interface, you just have to do it one by one in that case.

Anyway, since you are wanting to modify rights it might be helpful to see what the rights are on a SBS 2003 installation (this is with all patches applied *except* Exchange SP2).  I'd be happy to take screenshots of an existing installation for you if it would help....email me at ***email address deleted by EE Page Editor ** since I can't post images here....but in general it's the "Domain Users" permissions in your stated list that should not exist.  The Everyone and Anonymous accounts actually do have permissions on the mailbox (but very limited through a combination of Deny/Allow rules) so those are probably ok but hard to say without seeing if they've been modified.

Matt Ridings
MSR Consulting



0
 
mattridingsCommented:
Oh yeah, forgot to answer your question about 'where' the parent object was that they were inheriting from.

It's the mailbox store in Exchange.  Go into Exchange System Manager, go to your server, go to your storage group, right click on the mailbox store, go to 'Security' and you should see the permissions that you want to modify.  If "Domain Users" is in there you can definitely delete it.

Note:  Security/Permissions on Exchange objects and ACL lists can be very complex...and if done improperly can totally screw up a system by getting two different security mechanisms out of sync.  In general if you use Exchange System Manager, and AD users and computers, to make modifications to objects related to Exchange you are typically ok.  If you need to go deeper to the ADSI level and make modifications just be warned that you'd better know exactly what you are doing.

Matt Ridings
MSR Consulting
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mattridingsCommented:
*Sigh* - One more post...

To your point regarding why a 'new' user that you created did not have these inherited rights...

The mailbox in the Exchange Store isn't actually created until that user logs in to their mailbox for the first time.  So when you look at their permissions prior to that point, they don't exist because the mailbox itself doesn't exist.

If you log into email with that new account I think you'll find that all of a sudden those inherited permissions show up.

Matt Ridings
MSR Consulting
0
 
kimtealAuthor Commented:
Thank you sooo much Matt.
you were dead on..... domain users was in the mail store w/ full rights.
THANK YOU!!
0
 
mattridingsCommented:
Glad to have helped
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now