Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

AD groups and Exchange mailboxes, ACL

Can you explain something to me. My understanding of mailbox security/permissions was that you originally assign a mailbox to a domain account. By default that domain account is the only person who can access the mailbox, inbox, sent items, deleted etc (this is in exchange 2003). They (the domain user) can give our delegate rights to other users, or an exchange admin can give “send as” rights to other domain users.

However, I have just looked at all domain groups in ADUC, and many of them have “mailbox” in the title. I.e. “WXC mailbox access”, and then when I check the membership about 40 members. So where (I am very knew to mailbox ACL’s) does the AD group get added?  And how if these users are part of the group would they be accessing the mailbox? Via their own domain accounts?

Completely baffled how this works or why someone would set up an AD group to grant a team of users access to a mailbox.
ASKER CERTIFIED SOLUTION
Avatar of c_gotheridge
c_gotheridge
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

Thanks, not being to familair with exchange, but how (or what exchange admin type tool) can be used to see for a mailbox which AD groups have been added to it. I guess it was ease of administration but with groups unless you are on top of it removing people when they switch job roles, they can still remain with access to the mailbox. For example if I right click a file directory on a file server (right click > properties > security) I see the ACL entries, is this concept similar for each mailbox on an exchange server i.e. right click it and youll see each user added to the ACL either via delegate rights or via an AD group membership?
Avatar of c_gotheridge
c_gotheridge
Yes the concept is similar to assigning permissions to a folder. If you open ADUC on the Exchange server or another server with the Exchange ADUC Extensions and find the user account associated with the WXC Mailbox you can: Right click the user account - Select Properties - Select Mailbox Rights.

In here will be a list of users and groups assigned permissions for the mailbox. Although the WXC mailbox access security group itself will show, users added to that grou[ wont show in the list as they are inheriting their permissions from the security group rather than being directly assigned them.
Avatar of Pau Lo
Pau Lo

ASKER

Could you potentially then add the "everyone" or "domain users" group to a mailbox ACL?