I cannot stop unwanted inbox sharing

I have a customer with a SBS2003 system hosting their own mail on Exchange.  Recently we have found that we cannot turn off the sharing of their inbox.  The default permissions in Outlook 2003 is set to none and I believe everything is setup properly under the Exchange Advanced tab.  I have deny read permissions set for all users but only a handful of users are non-accessable.  All users are members of the same groups and nothing special.  If I deny full mailbox access to the everyone group, no one is able to log into the domain and I'm just not knowledgeable of all of the "rights".  Can someone please get me out of this?  I am afraid I am going to lose this customer.
thedrizelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sysreq2000Commented:
I believe you should have a user called "Self". Give "full mailbox access" only to Self and Admins if desired.

The --should-- be all you need to do as far as I know.
0
sysreq2000Commented:
Sorry, that --should-- be all you need to do as far as I know.
0
debuggerauCommented:
Goto Active Directory Users and Computers -> Select the user in question and open their properties. Select the Exchange Advanced tab and ensure the group SELF has read permissions AND Full Mailbox Access. This should get their own access working, but prevent others (unless they have administrator equivilance)
Hope that helps.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

thedrizelAuthor Commented:
Thank you all but unfortunately that is not yet the answer.  I have 15 users on this network and all users access to self have full mailbox access but the problem still exists.  Only myself and the owner of the company have Administrator rights and I know he doesn't know anything about this.  I am their IT guy and I seem to be failing on this one pretty badly.

0
thedrizelAuthor Commented:
I've even added each user indivdually full mailbox rights hoping that would help with this issue.
0
dekkarCommented:
could it be a policy setting??

try moving 2 users out of the OU into a complete different (new) one... and see if the policy's are affecting the outlook security...

When you create a new user, is this still the case?
0
thedrizelAuthor Commented:
Yes, it still seems to be the case as far as I can remember.  I will be on site tomorrow morning to verify.  I've never seen anything like this and cannot find an answer with over a week of researching.  I'm sure it is something simple but very frustrating.  This is a law firm and security is very important.

This is a small network and only an SBS2003 server with no special policies.
0
dekkarCommented:
How are they able to view each others email? Open --> other users folder??


0
debuggerauCommented:
There are a lot of security settings there by default, how about listing all of them here in a table so we can see the effects. It may not be individual permissions that are the cause, it may be a combined effect of many rights...
For instance, if everyone has full access, no security exists...
Self permissions is the default, you should be included.
0
thedrizelAuthor Commented:
I wouldn't know how to list the security settings.  That would be helpful if I did know.  I have the "everyone" group set to deny read permissions.
0
debuggerauCommented:
Actually found a much better solution
ADModifycmd
ttp://msexchangeteam.com/archive/2004/08/04/208045.aspx
0
thedrizelAuthor Commented:
Man, I feel like such a dummy.  I can't even get the ADmodify to install.  It tells me I need a different version of .NET Framework and to contact the publisher.  Arrggggg
0
thedrizelAuthor Commented:
Here is a DUMP.  Can anyone help?


MailboxRights>
- <user UserDN="LDAP://CN=Brian ,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=WalshBailey,DC=local">
- <Inherited>
  <Entry Trustee="WALSHBAILEY\Domain Users" Mask="ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed" />
  <Entry Trustee="WALSHBAILEY\Domain Users" Mask="ACE_MB_FULL_ACCESS|Allowed" />
  <Entry Trustee="NT AUTHORITY\ANONYMOUS LOGON" Mask="ACE_MB_FULL_ACCESS|Denied ACE_MB_DELETE_MB_STORAGE|Denied ACE_MB_READ_PERMISSIONS|Denied ACE_MB_CHANGE_PERMISSION|Denied ACE_MB_TAKE_OWNERSHIP|Denied" />
  <Entry Trustee="WALSHBAILEY\WALSHSERVER$" Mask="ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed" />
  <Entry Trustee="WALSHBAILEY\Exchange Domain Servers" Mask="ACE_MB_FULL_ACCESS|Denied" />
  <Entry Trustee="WALSHBAILEY\Domain Admins" Mask="ACE_MB_FULL_ACCESS|Denied" />
  <Entry Trustee="WALSHBAILEY\Enterprise Admins" Mask="ACE_MB_FULL_ACCESS|Denied" />
  <Entry Trustee="WALSHBAILEY\Administrator" Mask="ACE_MB_FULL_ACCESS|Denied" />
  <Entry Trustee="WALSHBAILEY\Exchange Domain Servers" Mask="ACE_MB_FULL_ACCESS|Allowed" />
  <Entry Trustee="Everyone" Mask="ACE_MB_READ_PERMISSIONS|Allowed" />
  <Entry Trustee="NT AUTHORITY\ANONYMOUS LOGON" Mask="ACE_MB_READ_PERMISSIONS|Allowed" />
  <Entry Trustee="WALSHBAILEY\Exchange Domain Servers" Mask="ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed" />
  <Entry Trustee="WALSHBAILEY\Administrator" Mask="ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed" />
  <Entry Trustee="WALSHBAILEY\SBS Mail Operators" Mask="ACE_MB_READ_PERMISSIONS|Allowed" />
  <Entry Trustee="WALSHBAILEY\Enterprise Admins" Mask="ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed" />
  <Entry Trustee="WALSHBAILEY\Domain Admins" Mask="ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed" />
  </Inherited>
- <NotInherited>
  <Entry Trustee="Everyone" Mask="ACE_MB_READ_PERMISSIONS|Denied" />
  <Entry Trustee="NT AUTHORITY\SELF" Mask="ACE_MB_FULL_ACCESS|Allowed ACE_MB_READ_PERMISSIONS|Allowed" />
  </NotInherited>
  </user>
  </MailboxRights>
0
thedrizelAuthor Commented:
I created a group and added only the 2 most important users to it thus not allowing anyone else to see their stuff.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.