Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1793
  • Last Modified:

Inherit permissions on mailboxes

Good day. We have an Exchange 2003 server and all mailboxes are setup to allow for everyone in the company to view or access all mailboxes. One user just requested (for security purposes) to not allow anyone to view her mailbox. I was trying to remove the permissions set to Everyone for Read but it tells me that the permissions are inherited and that i have to turn that off.

1) How do you remove those permissions?
2) Will that remove it from all mailboxes?
3) Can i simply alter one mailbox and leave the rest the same as they are now?
0
sscal
Asked:
sscal
  • 7
  • 5
  • 3
  • +1
1 Solution
 
Mark DamenERP System ManagerCommented:
As with any ACL, the DENY permission overrides the ALLOW permission.

Instead of making global changes to what is applied, or changing the inheritance on that particular mailbox, just add a DENY permission.
0
 
sscalAuthor Commented:
Can you explain to me what you mean by a DENY permission and how would I do that?
0
 
MegaNuk3Commented:
Do properties on her mailbox and go to 'mailbox rights' scroll down till you see the inherited everyone with 'Full Mailbox Access' = allow. And then tick then Deny box.

Job done, it should be effective with 15 minutes
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
MegaNuk3Commented:
Do the above instructions from ADUC
0
 
MegaNuk3Commented:
The other thing for you to check is from within her mailbox using Outlook. Right click on the part where it says "Mailbox - <username>" --> Properties then check the permissions and ensure 'Default' and 'Anonymous' have permissions 'None'

Do the same for the Inbox folder, this will stop other users from using Outlook's File--> Open --> other users folder to get into her Inbox
0
 
sscalAuthor Commented:
First of all, if I go into her mailbox rights, the "Everyone" permissions state Read - Allow and the checkbox is greyed out so I can't uncheck it. With regards to your second suggestion, going through her Inbox Anonymous states None as pemissions but through AD it states Read - Allow and it is also greyed out. I imagine this is set thruogh group policy but unsure how to change this and especially change it for only one user.
0
 
AshwinRaj111Commented:

You can try adding Everyone on that Mailbox and give a Deny on Read.

Deny should take priority over the Allow Permission.

Force replicate between the Domain Controllers if you have multiple ones.

Check and see if after others are able to access her Mailbox.
0
 
sscalAuthor Commented:
Everyone is already added through Exchange and the allow checkbox is grayed out. Won't let me change it that way.
0
 
AshwinRaj111Commented:
Yes i know.

You would not be able to Change the Everyone with the Allow as it is inherited from the Parent Object.

What we can do here is to add another Everyone Group and Give a Deny.
And then see if this works.

Else another think you can do is to Click on the Security Tab on the User -> Then Click on Advanced Option.
Uncheck the Check Box of "Allow Inheritance from Parent Object"

Then you will be able to edit the Everyone Group.
0
 
sscalAuthor Commented:
I tried creating another Everyone group but it did not allow me. It just went to the Everyone group that was already added.

One thing I noticed is that I can check the Deny checkbox for Everyone even though the Allow is checked and grayed out. I didn't apply it becuase I didn't know what changes it would make and didn't want to screw anything up. I also noticed that in the Security tab there is an Everyone group listed but the only permission it has is Change Password - Deny. Is there anything I can do through there?

You mentioned about unchecking the "Allow inheritance from Parent Object" but would that change it globally on all users or just that one? Also, what other changes would I experience if I unchecked that?
0
 
AshwinRaj111Commented:

The Allow Inheritance is just for that User Alone.

When you uncheck that option it would mean that it will not inherit the security settings from parent object.

The change we will make after unchecking that option is to see if we can remove the Check Mark on Deny for Everyone.

This will help us to make sure that no one apart from that user would be able to access this users Mailbox.

0
 
sscalAuthor Commented:
I am going to create a test account and use that one instead of making changes to a user's account. If you are positive that removing the allow inheritance will not chnage for anyone else then I can try it?
0
 
AshwinRaj111Commented:

I am very positive for the Allow Inheritace Tab.

But then if you still have Doubts then it is always safe to try with a Test Account.

You can create a test account and then create a new Mailbox for that Test Acount.
As per your organization Settings the Everyone Group would be having the Read permission which means that anyone can open the Mailbox.

So you can try opening the Mailbox with your credentials.
Then you can uncheck the Allow Inheritance Check Box and try removing the Check Mark from the Read for Everyone.

Now other users would not be able to access this Mailbox.
0
 
sscalAuthor Commented:
I will give that a try either today or tomorrow. I will rpeort back as to how this goes.
0
 
sscalAuthor Commented:
So I tried this out but was nervous to go through the whole thing. I received some prompts and was not sure what I should click on these. In the first one is I select "Copy" I would get the window below. Any idea on these?
Untitled.jpg
0
 
AshwinRaj111Commented:

On the First Prompt you need to Click on Copy.
This will copy the permission from parent to the child.

On the Second Prompt you would need to click on Yes.

-------

As is said earlier i understand your concern making these changes.
You can create a test user with a Mailbox and try it with the test user.
Once you try it with the test user and gets the results we want then we can try the same on the Main User,
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 7
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now