Solved

Inherit permissions on mailboxes

Posted on 2010-11-15
18
1,615 Views
Last Modified: 2012-08-13
Good day. We have an Exchange 2003 server and all mailboxes are setup to allow for everyone in the company to view or access all mailboxes. One user just requested (for security purposes) to not allow anyone to view her mailbox. I was trying to remove the permissions set to Everyone for Read but it tells me that the permissions are inherited and that i have to turn that off.

1) How do you remove those permissions?
2) Will that remove it from all mailboxes?
3) Can i simply alter one mailbox and leave the rest the same as they are now?
0
Comment
Question by:sscal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
  • +1
18 Comments
 
LVL 13

Expert Comment

by:markusdamenous
ID: 34141174
As with any ACL, the DENY permission overrides the ALLOW permission.

Instead of making global changes to what is applied, or changing the inheritance on that particular mailbox, just add a DENY permission.
0
 
LVL 1

Author Comment

by:sscal
ID: 34141182
Can you explain to me what you mean by a DENY permission and how would I do that?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34142932
Do properties on her mailbox and go to 'mailbox rights' scroll down till you see the inherited everyone with 'Full Mailbox Access' = allow. And then tick then Deny box.

Job done, it should be effective with 15 minutes
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34142936
Do the above instructions from ADUC
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34142965
The other thing for you to check is from within her mailbox using Outlook. Right click on the part where it says "Mailbox - <username>" --> Properties then check the permissions and ensure 'Default' and 'Anonymous' have permissions 'None'

Do the same for the Inbox folder, this will stop other users from using Outlook's File--> Open --> other users folder to get into her Inbox
0
 
LVL 1

Author Comment

by:sscal
ID: 34156667
First of all, if I go into her mailbox rights, the "Everyone" permissions state Read - Allow and the checkbox is greyed out so I can't uncheck it. With regards to your second suggestion, going through her Inbox Anonymous states None as pemissions but through AD it states Read - Allow and it is also greyed out. I imagine this is set thruogh group policy but unsure how to change this and especially change it for only one user.
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34193015

You can try adding Everyone on that Mailbox and give a Deny on Read.

Deny should take priority over the Allow Permission.

Force replicate between the Domain Controllers if you have multiple ones.

Check and see if after others are able to access her Mailbox.
0
 
LVL 1

Author Comment

by:sscal
ID: 34193087
Everyone is already added through Exchange and the allow checkbox is grayed out. Won't let me change it that way.
0
 
LVL 13

Accepted Solution

by:
AshwinRaj111 earned 250 total points
ID: 34194021
Yes i know.

You would not be able to Change the Everyone with the Allow as it is inherited from the Parent Object.

What we can do here is to add another Everyone Group and Give a Deny.
And then see if this works.

Else another think you can do is to Click on the Security Tab on the User -> Then Click on Advanced Option.
Uncheck the Check Box of "Allow Inheritance from Parent Object"

Then you will be able to edit the Everyone Group.
0
 
LVL 1

Author Comment

by:sscal
ID: 34197645
I tried creating another Everyone group but it did not allow me. It just went to the Everyone group that was already added.

One thing I noticed is that I can check the Deny checkbox for Everyone even though the Allow is checked and grayed out. I didn't apply it becuase I didn't know what changes it would make and didn't want to screw anything up. I also noticed that in the Security tab there is an Everyone group listed but the only permission it has is Change Password - Deny. Is there anything I can do through there?

You mentioned about unchecking the "Allow inheritance from Parent Object" but would that change it globally on all users or just that one? Also, what other changes would I experience if I unchecked that?
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34197752

The Allow Inheritance is just for that User Alone.

When you uncheck that option it would mean that it will not inherit the security settings from parent object.

The change we will make after unchecking that option is to see if we can remove the Check Mark on Deny for Everyone.

This will help us to make sure that no one apart from that user would be able to access this users Mailbox.

0
 
LVL 1

Author Comment

by:sscal
ID: 34197773
I am going to create a test account and use that one instead of making changes to a user's account. If you are positive that removing the allow inheritance will not chnage for anyone else then I can try it?
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34198208

I am very positive for the Allow Inheritace Tab.

But then if you still have Doubts then it is always safe to try with a Test Account.

You can create a test account and then create a new Mailbox for that Test Acount.
As per your organization Settings the Everyone Group would be having the Read permission which means that anyone can open the Mailbox.

So you can try opening the Mailbox with your credentials.
Then you can uncheck the Allow Inheritance Check Box and try removing the Check Mark from the Read for Everyone.

Now other users would not be able to access this Mailbox.
0
 
LVL 1

Author Comment

by:sscal
ID: 34198235
I will give that a try either today or tomorrow. I will rpeort back as to how this goes.
0
 
LVL 1

Author Comment

by:sscal
ID: 34231715
So I tried this out but was nervous to go through the whole thing. I received some prompts and was not sure what I should click on these. In the first one is I select "Copy" I would get the window below. Any idea on these?
Untitled.jpg
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34231876

On the First Prompt you need to Click on Copy.
This will copy the permission from parent to the child.

On the Second Prompt you would need to click on Yes.

-------

As is said earlier i understand your concern making these changes.
You can create a test user with a Mailbox and try it with the test user.
Once you try it with the test user and gets the results we want then we can try the same on the Main User,
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question