Solved

Wide Open Permissions

Posted on 2007-12-06
5
234 Views
Last Modified: 2010-03-06
I am running Exchange 2003 Standard (Version 6.5: Build 7638.2: Service Pack 2) on the PDC (Mixed Mode) and the clients are all accessing it via Outlook 2003 Clients.

By default, everyone is able to "Open A Shared Calendar" when in the Calendars tab and "Open Other User's Folder" when in the Mail tab and for the life of me I can't find the configuration to stop this.  This should NOT be the default, I know.

NO-ONE has configured a delegate and the Permissions on everyone's folders arespecified as "Name: Default" and "Permission Level:  none".

I'd like the default to be that no-one has access to any others' mailboxes or calendars unless they are specified in Tools --> Options --> Delegates as being allowed, which I would assume is the way it SHOULD be working.

Any help would be appreciated, and I'll try to provide as much further information needed to diagnose the problem.

Thanks
0
Comment
Question by:everettwolf
  • 3
  • 2
5 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
Comment Utility
That is probably set at the mailbox level.
Look at the user permissions for any accounts/groups that have Full Mailbox or Send as/Receive As permissions, particularly inherited access.  Do NOT try and remove permissions unless you are really sure, and the permissions I have mentioned are the only ones to worry about - ignore Read and other similar type permissions.

Simon.
0
 

Author Comment

by:everettwolf
Comment Utility
It turned out that a group account called EXCHANGE_RECOVERY was in existence (don't know why) which was listed as having full Mailbox Access to everyone's mailboxes.  "Domain Users" was listed as a member of the EXCHANGE_RECOVERY group, again I don't know why.  I removed Domain Users from the EXCHANGE_RECOVERY group and that fixed the problem.  I kept the EXCHANGE_RECOVERY group and left it as having access to people's mailboxes because I don't know what would happen if I deleted it.

Any further ideas on this EXCHANGE_RECOVERY group? I'll wait a day then award the question to Sembee (I don't know whether awarding points closes the thread)
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
That isn't a standard group. Therefore it was created by someone - possibly for use of Exmerge or recovery of data.
If you don't need it then remove it. Remove the group from the user accounts first, before you remove the group itself.
Another option would be to leave the group alone and just remove all members. It might be useful in the future.

Simon.
0
 

Author Comment

by:everettwolf
Comment Utility
I suspect it's something that was created by Veritas, the backup solution we use.  I've done a few restores on portions of people's mailboxes.  The Veritas service has full mailbox access, but maybe when you do a restore, it creates this group and uses its credentials to get at the mailboxes.  Why it would grant full mailbox access and put Domain Users in the group is a mystery though.  But this is what I'm going to look into.

Thanks Simon
0
 

Author Comment

by:everettwolf
Comment Utility
Found this on-line at http://support.microsoft.com/kb/262054.  Someone must've used this advice and mistakenly opened up Exchange to all the Domain users.  I suspect someone did this so everyone could share calendars without having to specify delegates, not realizing that it also opened up email for everyone to read as well.  I will fire him. :o)
******
If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. Unlike Exchange Server 5.5, all Exchange 2000 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail.

This default restriction can be overridden in several ways, but again, doing so should be in accordance with your organization's security and privacy policies. In most cases, using these methods is appropriate only in a recovery server environment.
Back to the top

Method One
If you are NOT the Administrator, or a member of the Domain Admins or Enterprise Admins groups, then you can add your account to the Exchange Services or Exchange Domain Servers groups, and you will be allowed full access to all mailboxes on servers in the domain.

Note The Exchange Services group may not exist if you have never deployed the Active Directory Connector in your organization.
Back to the top

Method Two
To grant your administrative account access through Exchange System Manager to all the mailboxes that are in a single database (regardless of inherited explicit denials), follow these steps: 1. Create an appropriately-scoped security group in the Microsoft Active Directory directory service. For example, create a global security group that is named EXCHANGE_RECOVERY.  
2. Add the group or the user account (or user accounts) that you want to use for general mailbox access to this security group. You must log off and then log back on before your membership in this group takes effect.  
3. In Exchange System Manager, grant this security group permissions on the database or server object that contains the mailboxes that you want to access. If the purpose of granting such access is to permit use of the ExMerge utility, grant Receive As permissions. You can also grant Full Control permissions if you want complete access.  
After you change these permissions, it may take some time before they take effect. Previous permissions might be cached by the local Exchange server for up to 15 minutes. You can stop and then start the Information Store service to clear local caching. You can also stop and then start all Exchange services to clear local caching. If there are multiple domain controllers in your Active Directory forest, domain replication latency might also extend the time that it takes for the permission changes to take effect. Therefore, when you design recovery procedures, it is a good idea to make the permission changes that are required as early as possible in your process.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now