Solved

Mircosoft Exchange 2003 permissions problem!

Posted on 2010-09-09
27
219 Views
Last Modified: 2012-05-10
Hi All,

I am after some expert Exchange advice!

For some reason any user in the company is able to open any other users mailbox within Outlook.  I'm not sure how this happened but it looks like permissions on our Exchange 2003 server have been changed.  Users should not be able to do this.  Obviously I want to change it back but don't want to cause any problems.  Where should I look to change this? and what should I change?

Thanks
0
Comment
Question by:robclarke41
  • 10
  • 9
  • 4
  • +3
27 Comments
 
LVL 3

Expert Comment

by:Jaoibh
Comment Utility
Users are domain admins or Administrators in Active directory!
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
They're not they are all just domain users
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
go into system manager and check the permissions on the database
make sure domain users does not have receive-as permissions
0
 
LVL 2

Expert Comment

by:sibisteanu
Comment Utility
Go to Active Directory Users and Computers – go to one user – Right Click – Properties
Go to Exchange Advanced – Mailbox Rights
Here you will modify the rights on mailbox. Verify if Domain Users is added and if it is deleted.
0
 
LVL 8

Expert Comment

by:Mkris9
Comment Utility
Go to esm and check if all users or the users group is added as exchange view only or server administrator.
0
 
LVL 5

Expert Comment

by:swap_101982
Comment Utility
Select any of the user mailbox, In properties goto Exchange Advanced and check Mailbox Rights.
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
someone would have been extremely bored to go thru each individual users and add the mailbox rights
you want to check within esm at the security on the database
look at every group that has receive-as permissions to the database
the receive-as permission grants access to mailboxes
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Domain users are not listed on the ACL at all, the list is as follows:

Administrator
ANONOYMOUS LOGON
SERVER$
BackupExec
Domain Admins
Enterprise Admins
Everyone
Exchange Domain Servers
Exchange Services

The one that looks suspicious is 'Everyone' but apparently everyone permissions are used on an Exchange server db?
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
look for what has receive-as permission granted
maybe they had nothing better to do and did grant the permissions manually for each account - have fun with that if it is the case :)
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
just been through every group, none of them have recieve-as permissions :(
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
go back to @sibisteanu comment and check individually
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Ok here is an example of individual mailbox rights:

Administrator
ANONYMOUS LOGON
BackupExec
SERVER$
Domain Admins
Enterprise Admins
Everyone
Exchange Domain Servers
Exchange Services
SELF

If I check the 'Everyone' permissions here all they have is 'Read Permissions' i.e. the ability to read the security permissions not 'Read' permissions.

How can this happen?!
0
 
LVL 2

Expert Comment

by:sibisteanu
Comment Utility
What is Exchange Services? On my server doesn’t appear.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Are you on Exchange 2003?
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
another question, can everyone actually expand and view items, or is it that they can add any mailbox to their profile.
anyone can add any mailbox, but you cannot expand the folders by default.
0
 
LVL 2

Expert Comment

by:sibisteanu
Comment Utility
Yes. A have Exchange 2003.
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
They can actually add the mailboxes in and expand to see the other users entire folder tree !  Not good!

They can also just use 'open other users folder' to get at other users mail.
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
in ad users and computers select view - advanced features
go to the properties of a user (whose mailbox can be seen by others) and go to hte security tab
check each account for the Receive As permission
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
No user or group has the recieve as permission, it doesnt make sense?
0
 
LVL 3

Expert Comment

by:Jaoibh
Comment Utility
I would love to have a proper look at that system this is a really strange one
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Yes it doesn't make sense, I've been working with Exchange 2003 for years and not seen something like this.  It can only be a permission somewhere, does anyone have any other ideas?
0
 
LVL 2

Expert Comment

by:sibisteanu
Comment Utility
In which group is added a normal domain user?
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
there is one last place you can check
go to someone's outlook profile and check the delegate settings
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Thanks just checked and that is empty.
0
 
LVL 32

Accepted Solution

by:
endital1097 earned 500 total points
Comment Utility
then right-click on the top level (mailbox - username) and select properties
go to the permissions tab and check there
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
I think this may be it, I've changed the 'default' user to none as it was on reviewer and it worked.  What should the 'default' permission be on?
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
the default should be none
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now