Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Wide Open Permissions

Posted on 2007-12-06
Medium Priority
Last Modified: 2010-03-06
I am running Exchange 2003 Standard (Version 6.5: Build 7638.2: Service Pack 2) on the PDC (Mixed Mode) and the clients are all accessing it via Outlook 2003 Clients.

By default, everyone is able to "Open A Shared Calendar" when in the Calendars tab and "Open Other User's Folder" when in the Mail tab and for the life of me I can't find the configuration to stop this.  This should NOT be the default, I know.

NO-ONE has configured a delegate and the Permissions on everyone's folders arespecified as "Name: Default" and "Permission Level:  none".

I'd like the default to be that no-one has access to any others' mailboxes or calendars unless they are specified in Tools --> Options --> Delegates as being allowed, which I would assume is the way it SHOULD be working.

Any help would be appreciated, and I'll try to provide as much further information needed to diagnose the problem.

Question by:everettwolf
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 104

Accepted Solution

Sembee earned 1000 total points
ID: 20424569
That is probably set at the mailbox level.
Look at the user permissions for any accounts/groups that have Full Mailbox or Send as/Receive As permissions, particularly inherited access.  Do NOT try and remove permissions unless you are really sure, and the permissions I have mentioned are the only ones to worry about - ignore Read and other similar type permissions.


Author Comment

ID: 20454228
It turned out that a group account called EXCHANGE_RECOVERY was in existence (don't know why) which was listed as having full Mailbox Access to everyone's mailboxes.  "Domain Users" was listed as a member of the EXCHANGE_RECOVERY group, again I don't know why.  I removed Domain Users from the EXCHANGE_RECOVERY group and that fixed the problem.  I kept the EXCHANGE_RECOVERY group and left it as having access to people's mailboxes because I don't know what would happen if I deleted it.

Any further ideas on this EXCHANGE_RECOVERY group? I'll wait a day then award the question to Sembee (I don't know whether awarding points closes the thread)
LVL 104

Expert Comment

ID: 20456252
That isn't a standard group. Therefore it was created by someone - possibly for use of Exmerge or recovery of data.
If you don't need it then remove it. Remove the group from the user accounts first, before you remove the group itself.
Another option would be to leave the group alone and just remove all members. It might be useful in the future.


Author Comment

ID: 20458372
I suspect it's something that was created by Veritas, the backup solution we use.  I've done a few restores on portions of people's mailboxes.  The Veritas service has full mailbox access, but maybe when you do a restore, it creates this group and uses its credentials to get at the mailboxes.  Why it would grant full mailbox access and put Domain Users in the group is a mystery though.  But this is what I'm going to look into.

Thanks Simon

Author Comment

ID: 20458443
Found this on-line at http://support.microsoft.com/kb/262054.  Someone must've used this advice and mistakenly opened up Exchange to all the Domain users.  I suspect someone did this so everyone could share calendars without having to specify delegates, not realizing that it also opened up email for everyone to read as well.  I will fire him. :o)
If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. Unlike Exchange Server 5.5, all Exchange 2000 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail.

This default restriction can be overridden in several ways, but again, doing so should be in accordance with your organization's security and privacy policies. In most cases, using these methods is appropriate only in a recovery server environment.
Back to the top

Method One
If you are NOT the Administrator, or a member of the Domain Admins or Enterprise Admins groups, then you can add your account to the Exchange Services or Exchange Domain Servers groups, and you will be allowed full access to all mailboxes on servers in the domain.

Note The Exchange Services group may not exist if you have never deployed the Active Directory Connector in your organization.
Back to the top

Method Two
To grant your administrative account access through Exchange System Manager to all the mailboxes that are in a single database (regardless of inherited explicit denials), follow these steps: 1. Create an appropriately-scoped security group in the Microsoft Active Directory directory service. For example, create a global security group that is named EXCHANGE_RECOVERY.  
2. Add the group or the user account (or user accounts) that you want to use for general mailbox access to this security group. You must log off and then log back on before your membership in this group takes effect.  
3. In Exchange System Manager, grant this security group permissions on the database or server object that contains the mailboxes that you want to access. If the purpose of granting such access is to permit use of the ExMerge utility, grant Receive As permissions. You can also grant Full Control permissions if you want complete access.  
After you change these permissions, it may take some time before they take effect. Previous permissions might be cached by the local Exchange server for up to 15 minutes. You can stop and then start the Information Store service to clear local caching. You can also stop and then start all Exchange services to clear local caching. If there are multiple domain controllers in your Active Directory forest, domain replication latency might also extend the time that it takes for the permission changes to take effect. Therefore, when you design recovery procedures, it is a good idea to make the permission changes that are required as early as possible in your process.

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
This video discusses moving either the default database or any database to a new volume.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question