Solved

Exchange 2010 mailbox permissions inheritance

Posted on 2011-09-08
5
5,214 Views
1 Endorsement
Last Modified: 2012-05-12

Migrated from Exchange 2003 to 2010 back in May 2011 and all seems well and good.
Looking under the bonnet of mailbox permissions - I have found a security group called ExMerge created for use in Exchange 2003 that has inherited access to all mailboxes.

The command: Get-Mailbox -Server “server” | Get-MailboxPermission | where { ($_.User -like “DOMAIN\ExMerge”) }  
shows it does have inherited access to all mailboxes

If I focus on one object - such as a meeting room
I can see the mailbox permissions shows ExMerge has Read rights shown in bold below

Where is these rights inherited from?  as it does not say the inherited object pathname so that I can try and remove ExMerge from the correct location.
Kind Regards
fosseitsl

[PS] C:\>Get-MailboxPermission -identity meetingroom1 | fl


RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, SendAs, ExternalAccount, ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SELF
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : False
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Domain Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Enterprise Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Organization Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : True
InheritanceType : All
User            : DOMAIN\Administrator
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Domain Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Organization Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Public Folder Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\SYSTEM
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : NT AUTHORITY\NETWORK SERVICE
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Domain Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Servers
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\ExMerge
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True


RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {ReadPermission}
Deny            : False
InheritanceType : All
User            : DOMAIN\Delegated Setup
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Organization Management
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Exchange Trusted Subsystem
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Administrator
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Enterprise Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True

RunspaceId      : 7a9f30fa-e77a-4811-a46e-609f39b4aca7
AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny            : False
InheritanceType : All
User            : DOMAIN\Domain Admins
Identity        : domain.local/Rooms/Meeting Room 1
IsInherited     : True
IsValid         : True
1
Comment
Question by:fosseitsl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
michaelgoldsmith earned 250 total points
ID: 36503478
The ExMerge tool is just a tool.

Somewhere along the line you added a user or gave a user exmerge permissions To secure the network, limit access to accounts that are delegated the Exchange Full Admins role to the organization or admin group objects.
0
 

Author Comment

by:fosseitsl
ID: 36503598
Michaelgoldsmith - yes ExMerge is a group that I would like to remove from the permissions list.
It is inherited from somewhere but cannot find where?

Kind Regards
fosseitsl
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 250 total points
ID: 36503622
start by the easy, open ADUC view -> advanced features => right click properties on the domain name -> security and check does exmerge is found there
0
 

Author Comment

by:fosseitsl
ID: 36508579
Thankyou for your comments - I found in adsiedit -> Configuration
CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Security Tab - ExMerge group was listed there.

I removed it but had to wait overnight for the permissions to be removed from the mailboxes.
Thanks for your comments - points split
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36508595
thank you for the update and the points. ADSiedit was indeed the second place to look

well done
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question