AD groups and Exchange mailboxes, ACL

Posted on 2011-05-04
Last Modified: 2012-05-11
Can you explain something to me. My understanding of mailbox security/permissions was that you originally assign a mailbox to a domain account. By default that domain account is the only person who can access the mailbox, inbox, sent items, deleted etc (this is in exchange 2003). They (the domain user) can give our delegate rights to other users, or an exchange admin can give “send as” rights to other domain users.

However, I have just looked at all domain groups in ADUC, and many of them have “mailbox” in the title. I.e. “WXC mailbox access”, and then when I check the membership about 40 members. So where (I am very knew to mailbox ACL’s) does the AD group get added?  And how if these users are part of the group would they be accessing the mailbox? Via their own domain accounts?

Completely baffled how this works or why someone would set up an AD group to grant a team of users access to a mailbox.
Question by:pma111

    Accepted Solution

    If I am understanding correctly there is a user relating to an email address which is along the lines of WXC Mailbox with permissions assigned to the "WXC mailbox access" security group in the same way that permissions can be granted to a user.

    If so it sounds like it was probably done to simplify administration, rather than manually adding users to the WXC Mailbox account every time someone requires permissions they are added to the security group aquiring permissions.

    This  (depending on permissions granted to the "WXC mailbox access" security group) to open the mailbox (right click on the users mailbox in the all mail folders window in outlook and select open other folder) or mount it as an additional mailbox to their own (Tools - Options - Mail Setup - Email Accounts - View or change - Select "Microsoft Exchange Server" and click Change - More settings - Advanced - Add the mailbox name)
    LVL 3

    Author Comment

    Thanks, not being to familair with exchange, but how (or what exchange admin type tool) can be used to see for a mailbox which AD groups have been added to it. I guess it was ease of administration but with groups unless you are on top of it removing people when they switch job roles, they can still remain with access to the mailbox. For example if I right click a file directory on a file server (right click > properties > security) I see the ACL entries, is this concept similar for each mailbox on an exchange server i.e. right click it and youll see each user added to the ACL either via delegate rights or via an AD group membership?

    Expert Comment

    Yes the concept is similar to assigning permissions to a folder. If you open ADUC on the Exchange server or another server with the Exchange ADUC Extensions and find the user account associated with the WXC Mailbox you can: Right click the user account - Select Properties - Select Mailbox Rights.

    In here will be a list of users and groups assigned permissions for the mailbox. Although the WXC mailbox access security group itself will show, users added to that grou[ wont show in the list as they are inheriting their permissions from the security group rather than being directly assigned them.
    LVL 3

    Author Comment

    Could you potentially then add the "everyone" or "domain users" group to a mailbox ACL?

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now