Solved

Exchange 2010 mailbox permissions inheritance

Posted on 2011-09-08
5
5,027 Views
1 Endorsement
Last Modified: 2012-05-12

Migrated from Exchange 2003 to 2010 back in May 2011 and all seems well and good.
Looking under the bonnet of mailbox permissions - I have found a security group called ExMerge created for use in Exchange 2003 that has inherited access to all mailboxes.

The command: Get-Mailbox -Server “server” | Get-MailboxPermission | where { ($_.User -like “DOMAIN\ExMerge”) }  
shows it does have inherited access to all mailboxes

If I focus on one object - such as a meeting room
I can see the mailbox permissions shows ExMerge has Read rights shown in bold below

Where is these rights inherited from?  as it does not say the inherited object pathname so that I can try and remove ExMerge from the correct location.
Kind Regards
fosseitsl

[PS] C:\>Get-MailboxPermission -identity meetingroom1 | fl


RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, SendAs, ExternalAccount, ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SELF
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : False
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Domain Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Enterprise Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Organization Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Administrator
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Domain Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Organization Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Public Folder Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SYSTEM
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\NETWORK SERVICE
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Domain Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\ExMerge
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True


RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Delegated Setup
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Organization Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Trusted Subsystem
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Administrator
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Enterprise Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Domain Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True
1
Comment
Question by:fosseitsl
  • 2
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
michaelgoldsmith earned 250 total points
ID: 36503478
The ExMerge tool is just a tool.

Somewhere along the line you added a user or gave a user exmerge permissions To secure the network, limit access to accounts that are delegated the Exchange Full Admins role to the organization or admin group objects.
0
 

Author Comment

by:fosseitsl
ID: 36503598
Michaelgoldsmith - yes ExMerge is a group that I would like to remove from the permissions list.
It is inherited from somewhere but cannot find where?

Kind Regards
fosseitsl
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 250 total points
ID: 36503622
start by the easy, open ADUC view -> advanced features => right click properties on the domain name -> security and check does exmerge is found there
0
 

Author Comment

by:fosseitsl
ID: 36508579
Thankyou for your comments - I found in adsiedit -> Configuration
CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Security Tab - ExMerge group was listed there.

I removed it but had to wait overnight for the permissions to be removed from the mailboxes.
Thanks for your comments - points split
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36508595
thank you for the update and the points. ADSiedit was indeed the second place to look

well done
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now