asked on Inherit permissions on mailboxes
Good day. We have an Exchange 2003 server and all mailboxes are setup to allow for everyone in the company to view or access all mailboxes. One user just requested (for security purposes) to not allow anyone to view her mailbox. I was trying to remove the permissions set to Everyone for Read but it tells me that the permissions are inherited and that i have to turn that off.
1) How do you remove those permissions?
2) Will that remove it from all mailboxes?
3) Can i simply alter one mailbox and leave the rest the same as they are now?
1) How do you remove those permissions?
2) Will that remove it from all mailboxes?
3) Can i simply alter one mailbox and leave the rest the same as they are now?
ExchangeEmail ServersWindows Server 2003Microsoft Server OS
Last Comment
AshwinRaj111
ASKER
Can you explain to me what you mean by a DENY permission and how would I do that?
Do properties on her mailbox and go to 'mailbox rights' scroll down till you see the inherited everyone with 'Full Mailbox Access' = allow. And then tick then Deny box.
Job done, it should be effective with 15 minutes
Job done, it should be effective with 15 minutes
Do the above instructions from ADUC
The other thing for you to check is from within her mailbox using Outlook. Right click on the part where it says "Mailbox - <username>" --> Properties then check the permissions and ensure 'Default' and 'Anonymous' have permissions 'None'
Do the same for the Inbox folder, this will stop other users from using Outlook's File--> Open --> other users folder to get into her Inbox
Do the same for the Inbox folder, this will stop other users from using Outlook's File--> Open --> other users folder to get into her Inbox
ASKER
First of all, if I go into her mailbox rights, the "Everyone" permissions state Read - Allow and the checkbox is greyed out so I can't uncheck it. With regards to your second suggestion, going through her Inbox Anonymous states None as pemissions but through AD it states Read - Allow and it is also greyed out. I imagine this is set thruogh group policy but unsure how to change this and especially change it for only one user.
You can try adding Everyone on that Mailbox and give a Deny on Read.
Deny should take priority over the Allow Permission.
Force replicate between the Domain Controllers if you have multiple ones.
Check and see if after others are able to access her Mailbox.
ASKER
Everyone is already added through Exchange and the allow checkbox is grayed out. Won't let me change it that way.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I tried creating another Everyone group but it did not allow me. It just went to the Everyone group that was already added.
One thing I noticed is that I can check the Deny checkbox for Everyone even though the Allow is checked and grayed out. I didn't apply it becuase I didn't know what changes it would make and didn't want to screw anything up. I also noticed that in the Security tab there is an Everyone group listed but the only permission it has is Change Password - Deny. Is there anything I can do through there?
You mentioned about unchecking the "Allow inheritance from Parent Object" but would that change it globally on all users or just that one? Also, what other changes would I experience if I unchecked that?
One thing I noticed is that I can check the Deny checkbox for Everyone even though the Allow is checked and grayed out. I didn't apply it becuase I didn't know what changes it would make and didn't want to screw anything up. I also noticed that in the Security tab there is an Everyone group listed but the only permission it has is Change Password - Deny. Is there anything I can do through there?
You mentioned about unchecking the "Allow inheritance from Parent Object" but would that change it globally on all users or just that one? Also, what other changes would I experience if I unchecked that?
The Allow Inheritance is just for that User Alone.
When you uncheck that option it would mean that it will not inherit the security settings from parent object.
The change we will make after unchecking that option is to see if we can remove the Check Mark on Deny for Everyone.
This will help us to make sure that no one apart from that user would be able to access this users Mailbox.
ASKER
I am going to create a test account and use that one instead of making changes to a user's account. If you are positive that removing the allow inheritance will not chnage for anyone else then I can try it?
I am very positive for the Allow Inheritace Tab.
But then if you still have Doubts then it is always safe to try with a Test Account.
You can create a test account and then create a new Mailbox for that Test Acount.
As per your organization Settings the Everyone Group would be having the Read permission which means that anyone can open the Mailbox.
So you can try opening the Mailbox with your credentials.
Then you can uncheck the Allow Inheritance Check Box and try removing the Check Mark from the Read for Everyone.
Now other users would not be able to access this Mailbox.
ASKER
I will give that a try either today or tomorrow. I will rpeort back as to how this goes.
ASKER
So I tried this out but was nervous to go through the whole thing. I received some prompts and was not sure what I should click on these. In the first one is I select "Copy" I would get the window below. Any idea on these?
Untitled.jpg
Untitled.jpg
On the First Prompt you need to Click on Copy.
This will copy the permission from parent to the child.
On the Second Prompt you would need to click on Yes.
-------
As is said earlier i understand your concern making these changes.
You can create a test user with a Mailbox and try it with the test user.
Once you try it with the test user and gets the results we want then we can try the same on the Main User,
Instead of making global changes to what is applied, or changing the inheritance on that particular mailbox, just add a DENY permission.