thedrizel
asked on
I cannot stop unwanted inbox sharing
I have a customer with a SBS2003 system hosting their own mail on Exchange. Recently we have found that we cannot turn off the sharing of their inbox. The default permissions in Outlook 2003 is set to none and I believe everything is setup properly under the Exchange Advanced tab. I have deny read permissions set for all users but only a handful of users are non-accessable. All users are members of the same groups and nothing special. If I deny full mailbox access to the everyone group, no one is able to log into the domain and I'm just not knowledgeable of all of the "rights". Can someone please get me out of this? I am afraid I am going to lose this customer.
Sorry, that --should-- be all you need to do as far as I know.
Goto Active Directory Users and Computers -> Select the user in question and open their properties. Select the Exchange Advanced tab and ensure the group SELF has read permissions AND Full Mailbox Access. This should get their own access working, but prevent others (unless they have administrator equivilance)
Hope that helps.
Hope that helps.
ASKER
Thank you all but unfortunately that is not yet the answer. I have 15 users on this network and all users access to self have full mailbox access but the problem still exists. Only myself and the owner of the company have Administrator rights and I know he doesn't know anything about this. I am their IT guy and I seem to be failing on this one pretty badly.
ASKER
I've even added each user indivdually full mailbox rights hoping that would help with this issue.
could it be a policy setting??
try moving 2 users out of the OU into a complete different (new) one... and see if the policy's are affecting the outlook security...
When you create a new user, is this still the case?
try moving 2 users out of the OU into a complete different (new) one... and see if the policy's are affecting the outlook security...
When you create a new user, is this still the case?
ASKER
Yes, it still seems to be the case as far as I can remember. I will be on site tomorrow morning to verify. I've never seen anything like this and cannot find an answer with over a week of researching. I'm sure it is something simple but very frustrating. This is a law firm and security is very important.
This is a small network and only an SBS2003 server with no special policies.
This is a small network and only an SBS2003 server with no special policies.
How are they able to view each others email? Open --> other users folder??
There are a lot of security settings there by default, how about listing all of them here in a table so we can see the effects. It may not be individual permissions that are the cause, it may be a combined effect of many rights...
For instance, if everyone has full access, no security exists...
Self permissions is the default, you should be included.
For instance, if everyone has full access, no security exists...
Self permissions is the default, you should be included.
ASKER
I wouldn't know how to list the security settings. That would be helpful if I did know. I have the "everyone" group set to deny read permissions.
Actually found a much better solution
ADModifycmd
ttp://msexchangeteam.com/a rchive/200 4/08/04/20 8045.aspx
ADModifycmd
ttp://msexchangeteam.com/a
ASKER
Man, I feel like such a dummy. I can't even get the ADmodify to install. It tells me I need a different version of .NET Framework and to contact the publisher. Arrggggg
ASKER
Here is a DUMP. Can anyone help?
MailboxRights>
- <user UserDN="LDAP://CN=Brian ,OU=SBSUsers,OU=Users,OU=M yBusiness, DC=WalshBa iley,DC=lo cal">
- <Inherited>
<Entry Trustee="WALSHBAILEY\Domai n Users" Mask="ACE_MB_DELETE_MB_STO RAGE|Allow ed ACE_MB_READ_PERMISSIONS|Al lowed ACE_MB_CHANGE_PERMISSION|A llowed ACE_MB_TAKE_OWNERSHIP|Allo wed" />
<Entry Trustee="WALSHBAILEY\Domai n Users" Mask="ACE_MB_FULL_ACCESS|A llowed" />
<Entry Trustee="NT AUTHORITY\ANONYMOUS LOGON" Mask="ACE_MB_FULL_ACCESS|D enied ACE_MB_DELETE_MB_STORAGE|D enied ACE_MB_READ_PERMISSIONS|De nied ACE_MB_CHANGE_PERMISSION|D enied ACE_MB_TAKE_OWNERSHIP|Deni ed" />
<Entry Trustee="WALSHBAILEY\WALSH SERVER$" Mask="ACE_MB_FULL_ACCESS|A llowed ACE_MB_DELETE_MB_STORAGE|A llowed ACE_MB_READ_PERMISSIONS|Al lowed ACE_MB_CHANGE_PERMISSION|A llowed ACE_MB_TAKE_OWNERSHIP|Allo wed" />
<Entry Trustee="WALSHBAILEY\Excha nge Domain Servers" Mask="ACE_MB_FULL_ACCESS|D enied" />
<Entry Trustee="WALSHBAILEY\Domai n Admins" Mask="ACE_MB_FULL_ACCESS|D enied" />
<Entry Trustee="WALSHBAILEY\Enter prise Admins" Mask="ACE_MB_FULL_ACCESS|D enied" />
<Entry Trustee="WALSHBAILEY\Admin istrator" Mask="ACE_MB_FULL_ACCESS|D enied" />
<Entry Trustee="WALSHBAILEY\Excha nge Domain Servers" Mask="ACE_MB_FULL_ACCESS|A llowed" />
<Entry Trustee="Everyone" Mask="ACE_MB_READ_PERMISSI ONS|Allowe d" />
<Entry Trustee="NT AUTHORITY\ANONYMOUS LOGON" Mask="ACE_MB_READ_PERMISSI ONS|Allowe d" />
<Entry Trustee="WALSHBAILEY\Excha nge Domain Servers" Mask="ACE_MB_DELETE_MB_STO RAGE|Allow ed ACE_MB_READ_PERMISSIONS|Al lowed ACE_MB_CHANGE_PERMISSION|A llowed ACE_MB_TAKE_OWNERSHIP|Allo wed" />
<Entry Trustee="WALSHBAILEY\Admin istrator" Mask="ACE_MB_FULL_ACCESS|A llowed ACE_MB_DELETE_MB_STORAGE|A llowed ACE_MB_READ_PERMISSIONS|Al lowed ACE_MB_CHANGE_PERMISSION|A llowed ACE_MB_TAKE_OWNERSHIP|Allo wed" />
<Entry Trustee="WALSHBAILEY\SBS Mail Operators" Mask="ACE_MB_READ_PERMISSI ONS|Allowe d" />
<Entry Trustee="WALSHBAILEY\Enter prise Admins" Mask="ACE_MB_FULL_ACCESS|A llowed ACE_MB_DELETE_MB_STORAGE|A llowed ACE_MB_READ_PERMISSIONS|Al lowed ACE_MB_CHANGE_PERMISSION|A llowed ACE_MB_TAKE_OWNERSHIP|Allo wed" />
<Entry Trustee="WALSHBAILEY\Domai n Admins" Mask="ACE_MB_FULL_ACCESS|A llowed ACE_MB_DELETE_MB_STORAGE|A llowed ACE_MB_READ_PERMISSIONS|Al lowed ACE_MB_CHANGE_PERMISSION|A llowed ACE_MB_TAKE_OWNERSHIP|Allo wed" />
</Inherited>
- <NotInherited>
<Entry Trustee="Everyone" Mask="ACE_MB_READ_PERMISSI ONS|Denied " />
<Entry Trustee="NT AUTHORITY\SELF" Mask="ACE_MB_FULL_ACCESS|A llowed ACE_MB_READ_PERMISSIONS|Al lowed" />
</NotInherited>
</user>
</MailboxRights>
MailboxRights>
- <user UserDN="LDAP://CN=Brian ,OU=SBSUsers,OU=Users,OU=M
- <Inherited>
<Entry Trustee="WALSHBAILEY\Domai
<Entry Trustee="WALSHBAILEY\Domai
<Entry Trustee="NT AUTHORITY\ANONYMOUS LOGON" Mask="ACE_MB_FULL_ACCESS|D
<Entry Trustee="WALSHBAILEY\WALSH
<Entry Trustee="WALSHBAILEY\Excha
<Entry Trustee="WALSHBAILEY\Domai
<Entry Trustee="WALSHBAILEY\Enter
<Entry Trustee="WALSHBAILEY\Admin
<Entry Trustee="WALSHBAILEY\Excha
<Entry Trustee="Everyone" Mask="ACE_MB_READ_PERMISSI
<Entry Trustee="NT AUTHORITY\ANONYMOUS LOGON" Mask="ACE_MB_READ_PERMISSI
<Entry Trustee="WALSHBAILEY\Excha
<Entry Trustee="WALSHBAILEY\Admin
<Entry Trustee="WALSHBAILEY\SBS Mail Operators" Mask="ACE_MB_READ_PERMISSI
<Entry Trustee="WALSHBAILEY\Enter
<Entry Trustee="WALSHBAILEY\Domai
</Inherited>
- <NotInherited>
<Entry Trustee="Everyone" Mask="ACE_MB_READ_PERMISSI
<Entry Trustee="NT AUTHORITY\SELF" Mask="ACE_MB_FULL_ACCESS|A
</NotInherited>
</user>
</MailboxRights>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The --should-- be all you need to do as far as I know.