everettwolf
asked on
Wide Open Permissions
I am running Exchange 2003 Standard (Version 6.5: Build 7638.2: Service Pack 2) on the PDC (Mixed Mode) and the clients are all accessing it via Outlook 2003 Clients.
By default, everyone is able to "Open A Shared Calendar" when in the Calendars tab and "Open Other User's Folder" when in the Mail tab and for the life of me I can't find the configuration to stop this. This should NOT be the default, I know.
NO-ONE has configured a delegate and the Permissions on everyone's folders arespecified as "Name: Default" and "Permission Level: none".
I'd like the default to be that no-one has access to any others' mailboxes or calendars unless they are specified in Tools --> Options --> Delegates as being allowed, which I would assume is the way it SHOULD be working.
Any help would be appreciated, and I'll try to provide as much further information needed to diagnose the problem.
Thanks
By default, everyone is able to "Open A Shared Calendar" when in the Calendars tab and "Open Other User's Folder" when in the Mail tab and for the life of me I can't find the configuration to stop this. This should NOT be the default, I know.
NO-ONE has configured a delegate and the Permissions on everyone's folders arespecified as "Name: Default" and "Permission Level: none".
I'd like the default to be that no-one has access to any others' mailboxes or calendars unless they are specified in Tools --> Options --> Delegates as being allowed, which I would assume is the way it SHOULD be working.
Any help would be appreciated, and I'll try to provide as much further information needed to diagnose the problem.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That isn't a standard group. Therefore it was created by someone - possibly for use of Exmerge or recovery of data.
If you don't need it then remove it. Remove the group from the user accounts first, before you remove the group itself.
Another option would be to leave the group alone and just remove all members. It might be useful in the future.
Simon.
If you don't need it then remove it. Remove the group from the user accounts first, before you remove the group itself.
Another option would be to leave the group alone and just remove all members. It might be useful in the future.
Simon.
ASKER
I suspect it's something that was created by Veritas, the backup solution we use. I've done a few restores on portions of people's mailboxes. The Veritas service has full mailbox access, but maybe when you do a restore, it creates this group and uses its credentials to get at the mailboxes. Why it would grant full mailbox access and put Domain Users in the group is a mystery though. But this is what I'm going to look into.
Thanks Simon
Thanks Simon
ASKER
Found this on-line at http://support.microsoft.com/kb/262054. Someone must've used this advice and mistakenly opened up Exchange to all the Domain users. I suspect someone did this so everyone could share calendars without having to specify delegates, not realizing that it also opened up email for everyone to read as well. I will fire him. :o)
******
If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. Unlike Exchange Server 5.5, all Exchange 2000 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail.
This default restriction can be overridden in several ways, but again, doing so should be in accordance with your organization's security and privacy policies. In most cases, using these methods is appropriate only in a recovery server environment.
Back to the top
Method One
If you are NOT the Administrator, or a member of the Domain Admins or Enterprise Admins groups, then you can add your account to the Exchange Services or Exchange Domain Servers groups, and you will be allowed full access to all mailboxes on servers in the domain.
Note The Exchange Services group may not exist if you have never deployed the Active Directory Connector in your organization.
Back to the top
Method Two
To grant your administrative account access through Exchange System Manager to all the mailboxes that are in a single database (regardless of inherited explicit denials), follow these steps: 1. Create an appropriately-scoped security group in the Microsoft Active Directory directory service. For example, create a global security group that is named EXCHANGE_RECOVERY.
2. Add the group or the user account (or user accounts) that you want to use for general mailbox access to this security group. You must log off and then log back on before your membership in this group takes effect.
3. In Exchange System Manager, grant this security group permissions on the database or server object that contains the mailboxes that you want to access. If the purpose of granting such access is to permit use of the ExMerge utility, grant Receive As permissions. You can also grant Full Control permissions if you want complete access.
After you change these permissions, it may take some time before they take effect. Previous permissions might be cached by the local Exchange server for up to 15 minutes. You can stop and then start the Information Store service to clear local caching. You can also stop and then start all Exchange services to clear local caching. If there are multiple domain controllers in your Active Directory forest, domain replication latency might also extend the time that it takes for the permission changes to take effect. Therefore, when you design recovery procedures, it is a good idea to make the permission changes that are required as early as possible in your process.
******
If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. Unlike Exchange Server 5.5, all Exchange 2000 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail.
This default restriction can be overridden in several ways, but again, doing so should be in accordance with your organization's security and privacy policies. In most cases, using these methods is appropriate only in a recovery server environment.
Back to the top
Method One
If you are NOT the Administrator, or a member of the Domain Admins or Enterprise Admins groups, then you can add your account to the Exchange Services or Exchange Domain Servers groups, and you will be allowed full access to all mailboxes on servers in the domain.
Note The Exchange Services group may not exist if you have never deployed the Active Directory Connector in your organization.
Back to the top
Method Two
To grant your administrative account access through Exchange System Manager to all the mailboxes that are in a single database (regardless of inherited explicit denials), follow these steps: 1. Create an appropriately-scoped security group in the Microsoft Active Directory directory service. For example, create a global security group that is named EXCHANGE_RECOVERY.
2. Add the group or the user account (or user accounts) that you want to use for general mailbox access to this security group. You must log off and then log back on before your membership in this group takes effect.
3. In Exchange System Manager, grant this security group permissions on the database or server object that contains the mailboxes that you want to access. If the purpose of granting such access is to permit use of the ExMerge utility, grant Receive As permissions. You can also grant Full Control permissions if you want complete access.
After you change these permissions, it may take some time before they take effect. Previous permissions might be cached by the local Exchange server for up to 15 minutes. You can stop and then start the Information Store service to clear local caching. You can also stop and then start all Exchange services to clear local caching. If there are multiple domain controllers in your Active Directory forest, domain replication latency might also extend the time that it takes for the permission changes to take effect. Therefore, when you design recovery procedures, it is a good idea to make the permission changes that are required as early as possible in your process.
ASKER
Any further ideas on this EXCHANGE_RECOVERY group? I'll wait a day then award the question to Sembee (I don't know whether awarding points closes the thread)