• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 807
  • Last Modified:

AD groups and Exchange mailboxes, ACL

Can you explain something to me. My understanding of mailbox security/permissions was that you originally assign a mailbox to a domain account. By default that domain account is the only person who can access the mailbox, inbox, sent items, deleted etc (this is in exchange 2003). They (the domain user) can give our delegate rights to other users, or an exchange admin can give “send as” rights to other domain users.

However, I have just looked at all domain groups in ADUC, and many of them have “mailbox” in the title. I.e. “WXC mailbox access”, and then when I check the membership about 40 members. So where (I am very knew to mailbox ACL’s) does the AD group get added?  And how if these users are part of the group would they be accessing the mailbox? Via their own domain accounts?

Completely baffled how this works or why someone would set up an AD group to grant a team of users access to a mailbox.
0
pma111
Asked:
pma111
  • 2
  • 2
1 Solution
 
c_gotheridgeCommented:
If I am understanding correctly there is a user relating to an email address which is along the lines of WXC Mailbox with permissions assigned to the "WXC mailbox access" security group in the same way that permissions can be granted to a user.

If so it sounds like it was probably done to simplify administration, rather than manually adding users to the WXC Mailbox account every time someone requires permissions they are added to the security group aquiring permissions.

This  (depending on permissions granted to the "WXC mailbox access" security group) to open the mailbox (right click on the users mailbox in the all mail folders window in outlook and select open other folder) or mount it as an additional mailbox to their own (Tools - Options - Mail Setup - Email Accounts - View or change - Select "Microsoft Exchange Server" and click Change - More settings - Advanced - Add the mailbox name)
0
 
pma111Author Commented:
Thanks, not being to familair with exchange, but how (or what exchange admin type tool) can be used to see for a mailbox which AD groups have been added to it. I guess it was ease of administration but with groups unless you are on top of it removing people when they switch job roles, they can still remain with access to the mailbox. For example if I right click a file directory on a file server (right click > properties > security) I see the ACL entries, is this concept similar for each mailbox on an exchange server i.e. right click it and youll see each user added to the ACL either via delegate rights or via an AD group membership?
0
 
c_gotheridgeCommented:
Yes the concept is similar to assigning permissions to a folder. If you open ADUC on the Exchange server or another server with the Exchange ADUC Extensions and find the user account associated with the WXC Mailbox you can: Right click the user account - Select Properties - Select Mailbox Rights.

In here will be a list of users and groups assigned permissions for the mailbox. Although the WXC mailbox access security group itself will show, users added to that grou[ wont show in the list as they are inheriting their permissions from the security group rather than being directly assigned them.
0
 
pma111Author Commented:
Could you potentially then add the "everyone" or "domain users" group to a mailbox ACL?
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now