Solved

Mircosoft Exchange 2003 permissions problem!

Posted on 2010-09-09
27
224 Views
Last Modified: 2012-05-10
Hi All,

I am after some expert Exchange advice!

For some reason any user in the company is able to open any other users mailbox within Outlook.  I'm not sure how this happened but it looks like permissions on our Exchange 2003 server have been changed.  Users should not be able to do this.  Obviously I want to change it back but don't want to cause any problems.  Where should I look to change this? and what should I change?

Thanks
0
Comment
Question by:robclarke41
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
  • 4
  • +3
27 Comments
 
LVL 3

Expert Comment

by:Jaoibh
ID: 33635576
Users are domain admins or Administrators in Active directory!
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33635588
They're not they are all just domain users
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33635605
go into system manager and check the permissions on the database
make sure domain users does not have receive-as permissions
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 2

Expert Comment

by:sibisteanu
ID: 33635616
Go to Active Directory Users and Computers – go to one user – Right Click – Properties
Go to Exchange Advanced – Mailbox Rights
Here you will modify the rights on mailbox. Verify if Domain Users is added and if it is deleted.
0
 
LVL 8

Expert Comment

by:Mkris9
ID: 33635629
Go to esm and check if all users or the users group is added as exchange view only or server administrator.
0
 
LVL 5

Expert Comment

by:Swapnil Prajapati
ID: 33635635
Select any of the user mailbox, In properties goto Exchange Advanced and check Mailbox Rights.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33635646
someone would have been extremely bored to go thru each individual users and add the mailbox rights
you want to check within esm at the security on the database
look at every group that has receive-as permissions to the database
the receive-as permission grants access to mailboxes
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33635650
Domain users are not listed on the ACL at all, the list is as follows:

Administrator
ANONOYMOUS LOGON
SERVER$
BackupExec
Domain Admins
Enterprise Admins
Everyone
Exchange Domain Servers
Exchange Services

The one that looks suspicious is 'Everyone' but apparently everyone permissions are used on an Exchange server db?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33635665
look for what has receive-as permission granted
maybe they had nothing better to do and did grant the permissions manually for each account - have fun with that if it is the case :)
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33635687
just been through every group, none of them have recieve-as permissions :(
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33635702
go back to @sibisteanu comment and check individually
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33635740
Ok here is an example of individual mailbox rights:

Administrator
ANONYMOUS LOGON
BackupExec
SERVER$
Domain Admins
Enterprise Admins
Everyone
Exchange Domain Servers
Exchange Services
SELF

If I check the 'Everyone' permissions here all they have is 'Read Permissions' i.e. the ability to read the security permissions not 'Read' permissions.

How can this happen?!
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33635778
What is Exchange Services? On my server doesn’t appear.
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33635787
Are you on Exchange 2003?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33635796
another question, can everyone actually expand and view items, or is it that they can add any mailbox to their profile.
anyone can add any mailbox, but you cannot expand the folders by default.
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33635823
Yes. A have Exchange 2003.
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33635856
They can actually add the mailboxes in and expand to see the other users entire folder tree !  Not good!

They can also just use 'open other users folder' to get at other users mail.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33635926
in ad users and computers select view - advanced features
go to the properties of a user (whose mailbox can be seen by others) and go to hte security tab
check each account for the Receive As permission
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33636654
No user or group has the recieve as permission, it doesnt make sense?
0
 
LVL 3

Expert Comment

by:Jaoibh
ID: 33636668
I would love to have a proper look at that system this is a really strange one
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33636689
Yes it doesn't make sense, I've been working with Exchange 2003 for years and not seen something like this.  It can only be a permission somewhere, does anyone have any other ideas?
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33636693
In which group is added a normal domain user?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33636817
there is one last place you can check
go to someone's outlook profile and check the delegate settings
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33636830
Thanks just checked and that is empty.
0
 
LVL 32

Accepted Solution

by:
endital1097 earned 500 total points
ID: 33636848
then right-click on the top level (mailbox - username) and select properties
go to the permissions tab and check there
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33637192
I think this may be it, I've changed the 'default' user to none as it was on reviewer and it worked.  What should the 'default' permission be on?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33637347
the default should be none
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
how to add IIS SMTP to handle application/Scanner relays into office 365.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question