djrc
asked on
Everyone can access each other Inbox through Open other user's Folder
Checked the mailbox rights properties
Delegate Tab in Outlook
Sharing options in Inbox folder
Can't see anything wrong except the Everyone Read permissions in Mailbox rights which is inherited but I read that was normal.
Delegate Tab in Outlook
Sharing options in Inbox folder
Can't see anything wrong except the Everyone Read permissions in Mailbox rights which is inherited but I read that was normal.
If everyone read permission is set on it then "everyone" will be able to read it.
ASKER
It's set the same way on another SBS 2003 Server of mine. Probably default setting.
I read somewhere it's the permission to read the permissions themselves and not the permission to read the mailbox...
I read somewhere it's the permission to read the permissions themselves and not the permission to read the mailbox...
the most easiest way is .. ask the user to delegate..
sorry for my last wrong comment...
on sbs server by default permission is everyone read.
on sbs server by default permission is everyone read.
If everyone can access all other mailboxes then something has changed, as that is not the standard behaviour.
The usual method is service account access.
This is how it is done, so reverse is: http://support.microsoft.com/default.aspx?kbid=821897
Check for group membership granting the access, so access has been granted to Domain Users for example.
DO NOT remove permissions you don't understand. That can break Exchange. The read permission mentioned above is normal.
The only permissions that you should be looking at are those mentioned in the article above.
Simon.
The usual method is service account access.
This is how it is done, so reverse is: http://support.microsoft.com/default.aspx?kbid=821897
Check for group membership granting the access, so access has been granted to Domain Users for example.
DO NOT remove permissions you don't understand. That can break Exchange. The read permission mentioned above is normal.
The only permissions that you should be looking at are those mentioned in the article above.
Simon.
ASKER
At the Domain Level in ESM, I found a permission for Everyone for Special applies to Special
Read
Execute
Read permission
List Content
Read properties
List Object
For the moment, I have resorted to explicit Deny all users individually in the mailbox rights as the matter is urgent, but would welcome a proper solution to this
Read
Execute
Read permission
List Content
Read properties
List Object
For the moment, I have resorted to explicit Deny all users individually in the mailbox rights as the matter is urgent, but would welcome a proper solution to this
None of those permissions you have shown above will give access to the mailboxes.
The only permissions that grant access to mailboxes are Full Mailbox Access, Send As/Receive As and permissions specifically set on the folders themselves through Outlook.
Simon.
The only permissions that grant access to mailboxes are Full Mailbox Access, Send As/Receive As and permissions specifically set on the folders themselves through Outlook.
Simon.
ASKER
The only users/group that have Full Mailbox access are :
User - Administrator
Group - Domain Admins (inherited also has Deny ticked)
Group - Entreprise Admins (inherited also has Deny ticked)
Group - Exchange Domain Server (inherited also has Deny ticked)
User - Proliant$ (server name inherited)
Group - Public admin Folders (inherited also has Deny ticked)
Self (Group)
There was some users in the Domain Admins group but even after removing them they still had access to the mailbox.
In the Group - Entreprise Admins there is only Administrator
In the Group - Exchange Domain Server there is only the server
In the Group - Public admin Folders there are two users which are given the right to see the folder through the Inbox sharing property.
So I can't see from where users that do not appear anywhere here still have access.
User - Administrator
Group - Domain Admins (inherited also has Deny ticked)
Group - Entreprise Admins (inherited also has Deny ticked)
Group - Exchange Domain Server (inherited also has Deny ticked)
User - Proliant$ (server name inherited)
Group - Public admin Folders (inherited also has Deny ticked)
Self (Group)
There was some users in the Domain Admins group but even after removing them they still had access to the mailbox.
In the Group - Entreprise Admins there is only Administrator
In the Group - Exchange Domain Server there is only the server
In the Group - Public admin Folders there are two users which are given the right to see the folder through the Inbox sharing property.
So I can't see from where users that do not appear anywhere here still have access.
If you have removed the permissions it can take two hours before that permission change becomes effective.
Did you check for Send As/Receive As permission as well?
Simon.
Did you check for Send As/Receive As permission as well?
Simon.
ASKER
Is there a way to force the changes ?
Where can find the Send As/Receive As permission ?
Where can find the Send As/Receive As permission ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help - I found the permission Send As and Received
In method 1. ESM - Security tab of the Database properties there is no additional group or user that
However is Method 2 using AD console or ESM ? I can only find View - Advanced features in AD. But then no security tab.
I will make a test this morning to see if the users removed from the Domain Admins group can still see other people's Inbox. If they cannot anymore then we can conclude it was down to the 2 hour delay in propagating the permission change.
In method 1. ESM - Security tab of the Database properties there is no additional group or user that
However is Method 2 using AD console or ESM ? I can only find View - Advanced features in AD. But then no security tab.
I will make a test this morning to see if the users removed from the Domain Admins group can still see other people's Inbox. If they cannot anymore then we can conclude it was down to the 2 hour delay in propagating the permission change.