[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Exchange 2010 mailbox permissions inheritance

Posted on 2011-09-08
5
Medium Priority
?
5,467 Views
1 Endorsement
Last Modified: 2012-05-12

Migrated from Exchange 2003 to 2010 back in May 2011 and all seems well and good.
Looking under the bonnet of mailbox permissions - I have found a security group called ExMerge created for use in Exchange 2003 that has inherited access to all mailboxes.

The command: Get-Mailbox -Server “server” | Get-MailboxPermission | where { ($_.User -like “DOMAIN\ExMerge”) }  
shows it does have inherited access to all mailboxes

If I focus on one object - such as a meeting room
I can see the mailbox permissions shows ExMerge has Read rights shown in bold below

Where is these rights inherited from?  as it does not say the inherited object pathname so that I can try and remove ExMerge from the correct location.
Kind Regards
fosseitsl

[PS] C:\>Get-MailboxPermission -identity meetingroom1 | fl


RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, SendAs, ExternalAccount, ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SELF
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : False
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Domain Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Enterprise Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Organization Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Administrator
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Domain Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Organization Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Public Folder Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SYSTEM
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\NETWORK SERVICE
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Domain Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\ExMerge
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True


RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Delegated Setup
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Organization Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Trusted Subsystem
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Administrator
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Enterprise Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Domain Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True
1
Comment
Question by:fosseitsl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
michaelgoldsmith earned 1000 total points
ID: 36503478
The ExMerge tool is just a tool.

Somewhere along the line you added a user or gave a user exmerge permissions To secure the network, limit access to accounts that are delegated the Exchange Full Admins role to the organization or admin group objects.
0
 

Author Comment

by:fosseitsl
ID: 36503598
Michaelgoldsmith - yes ExMerge is a group that I would like to remove from the permissions list.
It is inherited from somewhere but cannot find where?

Kind Regards
fosseitsl
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 1000 total points
ID: 36503622
start by the easy, open ADUC view -> advanced features => right click properties on the domain name -> security and check does exmerge is found there
0
 

Author Comment

by:fosseitsl
ID: 36508579
Thankyou for your comments - I found in adsiedit -> Configuration
CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Security Tab - ExMerge group was listed there.

I removed it but had to wait overnight for the permissions to be removed from the mailboxes.
Thanks for your comments - points split
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36508595
thank you for the update and the points. ADSiedit was indeed the second place to look

well done
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question