Solved

Inherit permissions on mailboxes

Posted on 2010-11-15
18
1,518 Views
Last Modified: 2012-08-13
Good day. We have an Exchange 2003 server and all mailboxes are setup to allow for everyone in the company to view or access all mailboxes. One user just requested (for security purposes) to not allow anyone to view her mailbox. I was trying to remove the permissions set to Everyone for Read but it tells me that the permissions are inherited and that i have to turn that off.

1) How do you remove those permissions?
2) Will that remove it from all mailboxes?
3) Can i simply alter one mailbox and leave the rest the same as they are now?
0
Comment
Question by:sscal
  • 7
  • 5
  • 3
  • +1
18 Comments
 
LVL 13

Expert Comment

by:markusdamenous
ID: 34141174
As with any ACL, the DENY permission overrides the ALLOW permission.

Instead of making global changes to what is applied, or changing the inheritance on that particular mailbox, just add a DENY permission.
0
 
LVL 1

Author Comment

by:sscal
ID: 34141182
Can you explain to me what you mean by a DENY permission and how would I do that?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34142932
Do properties on her mailbox and go to 'mailbox rights' scroll down till you see the inherited everyone with 'Full Mailbox Access' = allow. And then tick then Deny box.

Job done, it should be effective with 15 minutes
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34142936
Do the above instructions from ADUC
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34142965
The other thing for you to check is from within her mailbox using Outlook. Right click on the part where it says "Mailbox - <username>" --> Properties then check the permissions and ensure 'Default' and 'Anonymous' have permissions 'None'

Do the same for the Inbox folder, this will stop other users from using Outlook's File--> Open --> other users folder to get into her Inbox
0
 
LVL 1

Author Comment

by:sscal
ID: 34156667
First of all, if I go into her mailbox rights, the "Everyone" permissions state Read - Allow and the checkbox is greyed out so I can't uncheck it. With regards to your second suggestion, going through her Inbox Anonymous states None as pemissions but through AD it states Read - Allow and it is also greyed out. I imagine this is set thruogh group policy but unsure how to change this and especially change it for only one user.
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34193015

You can try adding Everyone on that Mailbox and give a Deny on Read.

Deny should take priority over the Allow Permission.

Force replicate between the Domain Controllers if you have multiple ones.

Check and see if after others are able to access her Mailbox.
0
 
LVL 1

Author Comment

by:sscal
ID: 34193087
Everyone is already added through Exchange and the allow checkbox is grayed out. Won't let me change it that way.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 13

Accepted Solution

by:
AshwinRaj111 earned 250 total points
ID: 34194021
Yes i know.

You would not be able to Change the Everyone with the Allow as it is inherited from the Parent Object.

What we can do here is to add another Everyone Group and Give a Deny.
And then see if this works.

Else another think you can do is to Click on the Security Tab on the User -> Then Click on Advanced Option.
Uncheck the Check Box of "Allow Inheritance from Parent Object"

Then you will be able to edit the Everyone Group.
0
 
LVL 1

Author Comment

by:sscal
ID: 34197645
I tried creating another Everyone group but it did not allow me. It just went to the Everyone group that was already added.

One thing I noticed is that I can check the Deny checkbox for Everyone even though the Allow is checked and grayed out. I didn't apply it becuase I didn't know what changes it would make and didn't want to screw anything up. I also noticed that in the Security tab there is an Everyone group listed but the only permission it has is Change Password - Deny. Is there anything I can do through there?

You mentioned about unchecking the "Allow inheritance from Parent Object" but would that change it globally on all users or just that one? Also, what other changes would I experience if I unchecked that?
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34197752

The Allow Inheritance is just for that User Alone.

When you uncheck that option it would mean that it will not inherit the security settings from parent object.

The change we will make after unchecking that option is to see if we can remove the Check Mark on Deny for Everyone.

This will help us to make sure that no one apart from that user would be able to access this users Mailbox.

0
 
LVL 1

Author Comment

by:sscal
ID: 34197773
I am going to create a test account and use that one instead of making changes to a user's account. If you are positive that removing the allow inheritance will not chnage for anyone else then I can try it?
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34198208

I am very positive for the Allow Inheritace Tab.

But then if you still have Doubts then it is always safe to try with a Test Account.

You can create a test account and then create a new Mailbox for that Test Acount.
As per your organization Settings the Everyone Group would be having the Read permission which means that anyone can open the Mailbox.

So you can try opening the Mailbox with your credentials.
Then you can uncheck the Allow Inheritance Check Box and try removing the Check Mark from the Read for Everyone.

Now other users would not be able to access this Mailbox.
0
 
LVL 1

Author Comment

by:sscal
ID: 34198235
I will give that a try either today or tomorrow. I will rpeort back as to how this goes.
0
 
LVL 1

Author Comment

by:sscal
ID: 34231715
So I tried this out but was nervous to go through the whole thing. I received some prompts and was not sure what I should click on these. In the first one is I select "Copy" I would get the window below. Any idea on these?
Untitled.jpg
0
 
LVL 13

Expert Comment

by:AshwinRaj111
ID: 34231876

On the First Prompt you need to Click on Copy.
This will copy the permission from parent to the child.

On the Second Prompt you would need to click on Yes.

-------

As is said earlier i understand your concern making these changes.
You can create a test user with a Mailbox and try it with the test user.
Once you try it with the test user and gets the results we want then we can try the same on the Main User,
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Suggested Solutions

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now