[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange 2003 Permissions for 1 user

Posted on 2009-12-22
19
Medium Priority
?
220 Views
Last Modified: 2012-05-08
Reference to an earlier thread I have managed to correct the permissions for every user in the organisation from accessing everyone else's inbox.

However there is one user that can still access every inbox within the organisation.

They do not have permission to do so anywhere. I have checked the following:

1.Delegation
2.Permissions on the inbox of users in Outlook 2003
3.Through AD and mailbox rights
4.System Manager\servername\security

I have even tried to add the user in mailbox rights and tick the Deny column which has made no difference.

The only obscure information in reference to this user is that when they joined they where not given a new profile, instead the engineer at the time just renamed the account in AD. Since then the servers have been upgraded.

I plan to back up all the users email files and folders, then delete them in AD and Exchange and re-create them. Giving them a fresh profile.

Would this be the right thing to do? As i just cannot find anywhere else that permissions could be set.

Many thanks.
0
Comment
Question by:FattyPo
  • 11
  • 4
  • 3
  • +1
19 Comments
 
LVL 13

Accepted Solution

by:
p_nuts earned 668 total points
ID: 26103722
wow that's really drastic.
check the group rights in exchange and in active directory. what groups is that user member off.
also check the rights using adsi to see if there aren't any lower level rights on the objects.
 
0
 
LVL 6

Expert Comment

by:CaptainGiblets
ID: 26103756
that is very weird as a deny should always overide an allow no matter where it is applied.
0
 

Author Comment

by:FattyPo
ID: 26103797
I have checked the group rights also and the user is not a member of any groups that has permissions, domain admins etc...

Is it possible that after applying the Deny it has not update through the domain yet? I added the Deny permissions about 3 1/2 hours ago.

In ref to ADSI? not something i am familiar with? Can you elaborate on this please?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 6

Expert Comment

by:CaptainGiblets
ID: 26103815
when we change permissions in AD for exchange the effects are virtually instant.

What does the effective permissions say when you run it against the user.
0
 

Author Comment

by:FattyPo
ID: 26103856
how do i check the effective permissions of a user?
0
 
LVL 6

Expert Comment

by:CaptainGiblets
ID: 26103918
sorry the effective permissions are for AD objects wasnt thinking properly.

Under the permissions are there any accounts that are just loads of numbers and letters or are they proper users that you know of only?

If you right click the object at the very top of exchange do they have full permissions in there?
0
 

Author Comment

by:FattyPo
ID: 26103939
there where a few with numbers that i removed this morning and also authenticated users had full permissions which allowed everyone to access everyone's inbox. I removed the auth users and this rectified the issue except for this one user. They are not listed at the top of exchange, i applied the deny permissions on a couple of mailboxes to try it and the user can still access the inbox.
0
 
LVL 6

Assisted Solution

by:CaptainGiblets
CaptainGiblets earned 668 total points
ID: 26103959
if you open exchange system manager and right click

Domain (Exchange)
go to properties
then security
add the user and press deny under them, does this stop them accessing mailboxes (it will also stop them accessing their own if it works)
0
 

Author Comment

by:FattyPo
ID: 26103995
i will try shortly when they are at lunch.
0
 

Author Comment

by:FattyPo
ID: 26104010
added the user and denied them at the top level, logged the user off and on again they still have full access to there mailbox. Working on the assumption that the deny will take affect immediately?
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 664 total points
ID: 26104050
"when we change permissions in AD for exchange the effects are virtually instant."

That would only happen if
a. The permission had never been used before.
b. Someone has cut the cached permission time down to zero.

Option b is not recommended.
Otherwise Exchange caches permissions for up to two hours.

As the change was made after testing, I would expect the change to take effect after that period has expired. Immediate changes aren't possible.

There are two ways that a user account can get access.
1. Full Mailbox Access
2. Receive As.

You need to check both. Look carefully at group memberships and what groups have those permissions.

Simon.
0
 

Author Comment

by:FattyPo
ID: 26104168
Ok I will check after 2 hours, go through all the permissions for the user an associated groups carefully again and go from there.

The user is away fro the break from tomorrow so i will apply the deny permissions this evening and retest tomorrow.

Now should i leave this question open for 24hrs? Or close it off and reopen tomorrow?
0
 

Author Comment

by:FattyPo
ID: 26104216
i have just checked and a user that i deleted at the top of store (security) 4hrs ago has been removed from the top of the exchange store, however they still appear in the individuals mailbox?

The authenticated users disappeared instantly when i removed them? Is it possible the deny permissions just have not been updated?

Should i reboot the exchange server?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 26104876
You don't have to reboot the server for the permissions cache to be flushed - just restart System Attendant and information store services.

Inside the mailbox permissions, is the user listed with inherited permissions (grey box) or specific permissions?

Simon.
0
 

Author Comment

by:FattyPo
ID: 26107302
i have added the user and denied all permissions, they appeared greyed out when i look in everyones mailbox rights. so they are inherited, in the users mailbox they are are also showing denied.

However the user can access their own mailbox and still everyone elses. I have checked all group memberships and nothing should allow the user to have these rights.

Also deny overrides allow so just completely lost now.

i have not restarted the System Attendant as yet though, should I?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 26111931
Personally I would now look at rebooting the entire machine, so that everything is flushed out correctly.

Simon.
0
 

Author Comment

by:FattyPo
ID: 26118291
i have rebooted the server and the user is showing explicit deny permissions but they can still access every user's inbox on the domain. s it possible that there is just an issue as the user had a name change on the original account in AD?
0
 

Author Comment

by:FattyPo
ID: 26119025
I have deleted the user and recreated them. Everything now works as it should. I can only put this down to the profile being renamed historically as opposed to a new profile being created at the time.

Thank you all for your help.
0
 

Author Closing Comment

by:FattyPo
ID: 31668936
I just think the users profile was corrupt/behaving strangely as it was renamed from the previous individual.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question