Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Mircosoft Exchange 2003 permissions problem!

Posted on 2010-09-09
27
Medium Priority
?
229 Views
Last Modified: 2012-05-10
Hi All,

I am after some expert Exchange advice!

For some reason any user in the company is able to open any other users mailbox within Outlook.  I'm not sure how this happened but it looks like permissions on our Exchange 2003 server have been changed.  Users should not be able to do this.  Obviously I want to change it back but don't want to cause any problems.  Where should I look to change this? and what should I change?

Thanks
0
Comment
Question by:robclarke41
  • 10
  • 9
  • 4
  • +3
27 Comments
 
LVL 3

Expert Comment

by:Jaoibh
ID: 33635576
Users are domain admins or Administrators in Active directory!
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33635588
They're not they are all just domain users
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33635605
go into system manager and check the permissions on the database
make sure domain users does not have receive-as permissions
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 2

Expert Comment

by:sibisteanu
ID: 33635616
Go to Active Directory Users and Computers – go to one user – Right Click – Properties
Go to Exchange Advanced – Mailbox Rights
Here you will modify the rights on mailbox. Verify if Domain Users is added and if it is deleted.
0
 
LVL 8

Expert Comment

by:Mkris9
ID: 33635629
Go to esm and check if all users or the users group is added as exchange view only or server administrator.
0
 
LVL 5

Expert Comment

by:Swapnil Prajapati
ID: 33635635
Select any of the user mailbox, In properties goto Exchange Advanced and check Mailbox Rights.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33635646
someone would have been extremely bored to go thru each individual users and add the mailbox rights
you want to check within esm at the security on the database
look at every group that has receive-as permissions to the database
the receive-as permission grants access to mailboxes
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33635650
Domain users are not listed on the ACL at all, the list is as follows:

Administrator
ANONOYMOUS LOGON
SERVER$
BackupExec
Domain Admins
Enterprise Admins
Everyone
Exchange Domain Servers
Exchange Services

The one that looks suspicious is 'Everyone' but apparently everyone permissions are used on an Exchange server db?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33635665
look for what has receive-as permission granted
maybe they had nothing better to do and did grant the permissions manually for each account - have fun with that if it is the case :)
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33635687
just been through every group, none of them have recieve-as permissions :(
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33635702
go back to @sibisteanu comment and check individually
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33635740
Ok here is an example of individual mailbox rights:

Administrator
ANONYMOUS LOGON
BackupExec
SERVER$
Domain Admins
Enterprise Admins
Everyone
Exchange Domain Servers
Exchange Services
SELF

If I check the 'Everyone' permissions here all they have is 'Read Permissions' i.e. the ability to read the security permissions not 'Read' permissions.

How can this happen?!
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33635778
What is Exchange Services? On my server doesn’t appear.
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33635787
Are you on Exchange 2003?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33635796
another question, can everyone actually expand and view items, or is it that they can add any mailbox to their profile.
anyone can add any mailbox, but you cannot expand the folders by default.
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33635823
Yes. A have Exchange 2003.
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33635856
They can actually add the mailboxes in and expand to see the other users entire folder tree !  Not good!

They can also just use 'open other users folder' to get at other users mail.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33635926
in ad users and computers select view - advanced features
go to the properties of a user (whose mailbox can be seen by others) and go to hte security tab
check each account for the Receive As permission
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33636654
No user or group has the recieve as permission, it doesnt make sense?
0
 
LVL 3

Expert Comment

by:Jaoibh
ID: 33636668
I would love to have a proper look at that system this is a really strange one
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33636689
Yes it doesn't make sense, I've been working with Exchange 2003 for years and not seen something like this.  It can only be a permission somewhere, does anyone have any other ideas?
0
 
LVL 2

Expert Comment

by:sibisteanu
ID: 33636693
In which group is added a normal domain user?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33636817
there is one last place you can check
go to someone's outlook profile and check the delegate settings
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33636830
Thanks just checked and that is empty.
0
 
LVL 32

Accepted Solution

by:
endital1097 earned 2000 total points
ID: 33636848
then right-click on the top level (mailbox - username) and select properties
go to the permissions tab and check there
0
 
LVL 1

Author Comment

by:robclarke41
ID: 33637192
I think this may be it, I've changed the 'default' user to none as it was on reviewer and it worked.  What should the 'default' permission be on?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33637347
the default should be none
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question