Solved

Exchange 2010 mailbox permissions inheritance

Posted on 2011-09-08
5
5,059 Views
1 Endorsement
Last Modified: 2012-05-12

Migrated from Exchange 2003 to 2010 back in May 2011 and all seems well and good.
Looking under the bonnet of mailbox permissions - I have found a security group called ExMerge created for use in Exchange 2003 that has inherited access to all mailboxes.

The command: Get-Mailbox -Server “server” | Get-MailboxPermission | where { ($_.User -like “DOMAIN\ExMerge”) }  
shows it does have inherited access to all mailboxes

If I focus on one object - such as a meeting room
I can see the mailbox permissions shows ExMerge has Read rights shown in bold below

Where is these rights inherited from?  as it does not say the inherited object pathname so that I can try and remove ExMerge from the correct location.
Kind Regards
fosseitsl

[PS] C:\>Get-MailboxPermission -identity meetingroom1 | fl


RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, SendAs, ExternalAccount, ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SELF
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : False
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Domain Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Enterprise Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Organization Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Administrator
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Domain Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Organization Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Public Folder Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SYSTEM
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\NETWORK SERVICE
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Domain Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\ExMerge
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True


RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Delegated Setup
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Organization Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Trusted Subsystem
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Administrator
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Enterprise Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Domain Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True
1
Comment
Question by:fosseitsl
  • 2
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
michaelgoldsmith earned 250 total points
ID: 36503478
The ExMerge tool is just a tool.

Somewhere along the line you added a user or gave a user exmerge permissions To secure the network, limit access to accounts that are delegated the Exchange Full Admins role to the organization or admin group objects.
0
 

Author Comment

by:fosseitsl
ID: 36503598
Michaelgoldsmith - yes ExMerge is a group that I would like to remove from the permissions list.
It is inherited from somewhere but cannot find where?

Kind Regards
fosseitsl
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 250 total points
ID: 36503622
start by the easy, open ADUC view -> advanced features => right click properties on the domain name -> security and check does exmerge is found there
0
 

Author Comment

by:fosseitsl
ID: 36508579
Thankyou for your comments - I found in adsiedit -> Configuration
CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Security Tab - ExMerge group was listed there.

I removed it but had to wait overnight for the permissions to be removed from the mailboxes.
Thanks for your comments - points split
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36508595
thank you for the update and the points. ADSiedit was indeed the second place to look

well done
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now