• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

Mircosoft Exchange 2003 permissions problem!

Hi All,

I am after some expert Exchange advice!

For some reason any user in the company is able to open any other users mailbox within Outlook.  I'm not sure how this happened but it looks like permissions on our Exchange 2003 server have been changed.  Users should not be able to do this.  Obviously I want to change it back but don't want to cause any problems.  Where should I look to change this? and what should I change?

Thanks
0
robclarke41
Asked:
robclarke41
  • 10
  • 9
  • 4
  • +3
1 Solution
 
JaoibhCommented:
Users are domain admins or Administrators in Active directory!
0
 
robclarke41Author Commented:
They're not they are all just domain users
0
 
endital1097Commented:
go into system manager and check the permissions on the database
make sure domain users does not have receive-as permissions
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
sibisteanuCommented:
Go to Active Directory Users and Computers – go to one user – Right Click – Properties
Go to Exchange Advanced – Mailbox Rights
Here you will modify the rights on mailbox. Verify if Domain Users is added and if it is deleted.
0
 
Mkris9Commented:
Go to esm and check if all users or the users group is added as exchange view only or server administrator.
0
 
Swapnil PrajapatiSr. System AdministratorCommented:
Select any of the user mailbox, In properties goto Exchange Advanced and check Mailbox Rights.
0
 
endital1097Commented:
someone would have been extremely bored to go thru each individual users and add the mailbox rights
you want to check within esm at the security on the database
look at every group that has receive-as permissions to the database
the receive-as permission grants access to mailboxes
0
 
robclarke41Author Commented:
Domain users are not listed on the ACL at all, the list is as follows:

Administrator
ANONOYMOUS LOGON
SERVER$
BackupExec
Domain Admins
Enterprise Admins
Everyone
Exchange Domain Servers
Exchange Services

The one that looks suspicious is 'Everyone' but apparently everyone permissions are used on an Exchange server db?
0
 
endital1097Commented:
look for what has receive-as permission granted
maybe they had nothing better to do and did grant the permissions manually for each account - have fun with that if it is the case :)
0
 
robclarke41Author Commented:
just been through every group, none of them have recieve-as permissions :(
0
 
endital1097Commented:
go back to @sibisteanu comment and check individually
0
 
robclarke41Author Commented:
Ok here is an example of individual mailbox rights:

Administrator
ANONYMOUS LOGON
BackupExec
SERVER$
Domain Admins
Enterprise Admins
Everyone
Exchange Domain Servers
Exchange Services
SELF

If I check the 'Everyone' permissions here all they have is 'Read Permissions' i.e. the ability to read the security permissions not 'Read' permissions.

How can this happen?!
0
 
sibisteanuCommented:
What is Exchange Services? On my server doesn’t appear.
0
 
robclarke41Author Commented:
Are you on Exchange 2003?
0
 
endital1097Commented:
another question, can everyone actually expand and view items, or is it that they can add any mailbox to their profile.
anyone can add any mailbox, but you cannot expand the folders by default.
0
 
sibisteanuCommented:
Yes. A have Exchange 2003.
0
 
robclarke41Author Commented:
They can actually add the mailboxes in and expand to see the other users entire folder tree !  Not good!

They can also just use 'open other users folder' to get at other users mail.
0
 
endital1097Commented:
in ad users and computers select view - advanced features
go to the properties of a user (whose mailbox can be seen by others) and go to hte security tab
check each account for the Receive As permission
0
 
robclarke41Author Commented:
No user or group has the recieve as permission, it doesnt make sense?
0
 
JaoibhCommented:
I would love to have a proper look at that system this is a really strange one
0
 
robclarke41Author Commented:
Yes it doesn't make sense, I've been working with Exchange 2003 for years and not seen something like this.  It can only be a permission somewhere, does anyone have any other ideas?
0
 
sibisteanuCommented:
In which group is added a normal domain user?
0
 
endital1097Commented:
there is one last place you can check
go to someone's outlook profile and check the delegate settings
0
 
robclarke41Author Commented:
Thanks just checked and that is empty.
0
 
endital1097Commented:
then right-click on the top level (mailbox - username) and select properties
go to the permissions tab and check there
0
 
robclarke41Author Commented:
I think this may be it, I've changed the 'default' user to none as it was on reviewer and it worked.  What should the 'default' permission be on?
0
 
endital1097Commented:
the default should be none
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 10
  • 9
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now