Solved

Exchange Server Security

Posted on 2009-04-13
5
267 Views
Last Modified: 2012-05-06
Windows 2003 Server with Exchange 2003.
All mail boxes have been migrated from an old server same OS.
Exchange SP2
Some users mail boxes are available to everyone. They simply have to go to File-Open-Other users folder- Browse to username and it opens.
Not every mail box will open, but there is not a difference in the permissions on the users account or mail file on those that will open and those that won't.

We already edited the registry to show all security on the Exchange System manager, and the permissions are the same as a correctly operating Exchange Server that we compared.


0
Comment
Question by:DrPing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 65

Expert Comment

by:Mestha
ID: 24134011
There are only two sets of permissions that grant that access - full mailbox and Send As/Receive As. You need to look at what groups and users have those permissions, possibly inherited, to see how the permission is being set. Then look at the membership of the group.

Do not make the mistake of thinking that "Full Control" is the permission you need to change, it is not. That is full control over the object (ie the user account in AD) not the content (the mailbox in Exchange).

Simon.
0
 

Author Comment

by:DrPing
ID: 24135898
Just so I understand correctly...
There are two sets of permissions. One is applied to the mailbox in System Manager, and has inherited permission all the way down from the Exchange group. (Store-Server-Administrative Group- Exchange Group) All of the permissions set here will be global for everyone in the store.

The other is set in Active Directory under the individual user account, and this controls permission on an individual level? (who else can access a mailbox, send on behalf etc)

If I understand correctly, them my problem has to be in the Active Directory Permissions.... because only 2 users are affected. (anyone can open their Inbox)

However the permissions listed for the problem users, exactly match the permissions on the other users mail boxes. Have compared the users listed. (administrator- domain administrator-Exchange administrator- Self etc)... and have even compared the effective permissions to be the same.

0
 

Author Comment

by:DrPing
ID: 24135911
Additionally, I have created a new user by copying the problem users account. The new user is a member of the same groups etc.

However the newly created users mailbox works correctly.
0
 

Author Comment

by:DrPing
ID: 24136089
Another bit of info I just found out....

Even if I set the Active Directory permissions on the problem mailbox to Deny-Everyone....

The permissions are ignored and anyone can open the users folders.

All DC's show to replicate OK..

Thinking about just deleting and recreating the users account.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24137283
What permissions are you changing? It isn't clear.
The only two permissions on accounts that give access to the mailbox are the ones that I have outlined above. You need to see what groups and accounts have those permissions.

Furthermore, due to the way that Exchange caches permissions, a change in permissions can take two hours to take effect. Do not expect a permission to be live immediately.

Simon.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question