Wide Open Permissions

Posted on 2007-12-06
Medium Priority
Last Modified: 2010-03-06
I am running Exchange 2003 Standard (Version 6.5: Build 7638.2: Service Pack 2) on the PDC (Mixed Mode) and the clients are all accessing it via Outlook 2003 Clients.

By default, everyone is able to "Open A Shared Calendar" when in the Calendars tab and "Open Other User's Folder" when in the Mail tab and for the life of me I can't find the configuration to stop this.  This should NOT be the default, I know.

NO-ONE has configured a delegate and the Permissions on everyone's folders arespecified as "Name: Default" and "Permission Level:  none".

I'd like the default to be that no-one has access to any others' mailboxes or calendars unless they are specified in Tools --> Options --> Delegates as being allowed, which I would assume is the way it SHOULD be working.

Any help would be appreciated, and I'll try to provide as much further information needed to diagnose the problem.

Question by:everettwolf
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 104

Accepted Solution

Sembee earned 1000 total points
ID: 20424569
That is probably set at the mailbox level.
Look at the user permissions for any accounts/groups that have Full Mailbox or Send as/Receive As permissions, particularly inherited access.  Do NOT try and remove permissions unless you are really sure, and the permissions I have mentioned are the only ones to worry about - ignore Read and other similar type permissions.


Author Comment

ID: 20454228
It turned out that a group account called EXCHANGE_RECOVERY was in existence (don't know why) which was listed as having full Mailbox Access to everyone's mailboxes.  "Domain Users" was listed as a member of the EXCHANGE_RECOVERY group, again I don't know why.  I removed Domain Users from the EXCHANGE_RECOVERY group and that fixed the problem.  I kept the EXCHANGE_RECOVERY group and left it as having access to people's mailboxes because I don't know what would happen if I deleted it.

Any further ideas on this EXCHANGE_RECOVERY group? I'll wait a day then award the question to Sembee (I don't know whether awarding points closes the thread)
LVL 104

Expert Comment

ID: 20456252
That isn't a standard group. Therefore it was created by someone - possibly for use of Exmerge or recovery of data.
If you don't need it then remove it. Remove the group from the user accounts first, before you remove the group itself.
Another option would be to leave the group alone and just remove all members. It might be useful in the future.


Author Comment

ID: 20458372
I suspect it's something that was created by Veritas, the backup solution we use.  I've done a few restores on portions of people's mailboxes.  The Veritas service has full mailbox access, but maybe when you do a restore, it creates this group and uses its credentials to get at the mailboxes.  Why it would grant full mailbox access and put Domain Users in the group is a mystery though.  But this is what I'm going to look into.

Thanks Simon

Author Comment

ID: 20458443
Found this on-line at http://support.microsoft.com/kb/262054.  Someone must've used this advice and mistakenly opened up Exchange to all the Domain users.  I suspect someone did this so everyone could share calendars without having to specify delegates, not realizing that it also opened up email for everyone to read as well.  I will fire him. :o)
If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. Unlike Exchange Server 5.5, all Exchange 2000 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail.

This default restriction can be overridden in several ways, but again, doing so should be in accordance with your organization's security and privacy policies. In most cases, using these methods is appropriate only in a recovery server environment.
Back to the top

Method One
If you are NOT the Administrator, or a member of the Domain Admins or Enterprise Admins groups, then you can add your account to the Exchange Services or Exchange Domain Servers groups, and you will be allowed full access to all mailboxes on servers in the domain.

Note The Exchange Services group may not exist if you have never deployed the Active Directory Connector in your organization.
Back to the top

Method Two
To grant your administrative account access through Exchange System Manager to all the mailboxes that are in a single database (regardless of inherited explicit denials), follow these steps: 1. Create an appropriately-scoped security group in the Microsoft Active Directory directory service. For example, create a global security group that is named EXCHANGE_RECOVERY.  
2. Add the group or the user account (or user accounts) that you want to use for general mailbox access to this security group. You must log off and then log back on before your membership in this group takes effect.  
3. In Exchange System Manager, grant this security group permissions on the database or server object that contains the mailboxes that you want to access. If the purpose of granting such access is to permit use of the ExMerge utility, grant Receive As permissions. You can also grant Full Control permissions if you want complete access.  
After you change these permissions, it may take some time before they take effect. Previous permissions might be cached by the local Exchange server for up to 15 minutes. You can stop and then start the Information Store service to clear local caching. You can also stop and then start all Exchange services to clear local caching. If there are multiple domain controllers in your Active Directory forest, domain replication latency might also extend the time that it takes for the permission changes to take effect. Therefore, when you design recovery procedures, it is a good idea to make the permission changes that are required as early as possible in your process.

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
Suggested Courses
Course of the Month9 days, 11 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question