• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 703
  • Last Modified:

Exchange 2010 mailbox permission.

Hello,

We use Exchange 2010 environment.  

When I go to Manage Full Access Permission, I see there is an security Principal entry: "NT AUTHORITY\REMOTE INTERACTIVE LOGON".  

Do someone know what that means?  I just need to know if someone will have access to a mailbox?  What if I remove that entry there?

Thanks.
0
nav2567
Asked:
nav2567
  • 4
  • 3
  • 2
  • +1
4 Solutions
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
0
 
TheGeezer2010Commented:
Do you have BackupExec or similar ? The likelihood is that the BESA account needs to be a member of this group, which in turn is added to the ACL for all Mailboxes.
0
 
nav2567Author Commented:
I have read that article but it did not help.    

We have mailboxes which have "NT AUTHORITY\REMOTE INTERACTIVE LOGON" appears in Managed Full Access Permission all of the sudden.  I am not sure of where it comes from.  Usually, I see "NT AUTHORITY\SELF", and "NT AUTHORITY\SYSTEM" in regular mailboxes.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
PYThePorkpieCommented:
The REMOTE Interactive Logon is users who have logged on through a Terminal services logon
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Looking at some articles i think it requires some rights for backup\restore as i am seeing this on a lot of Symantec blogs.

- Rancy
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
As said its also used by Terminal servers when users log into their mailbox from Terminal servers.
0
 
TheGeezer2010Commented:
Well as you area aware this is a system-managed group which is used in RDP (your security principal is added to this group when you use RDP). You say this appeared there, can you tie in when - did it perhaps coincide with installation of a program - maybe an Enterprise level program, and likely one which allows remote access ? If the answer is yes then all you should need to do is consult the documentation on the permissions the service account needs/
If the answer is no, I have personally not heard of this on an Exchange mailbox permission. I would advocate that you remove this from a non-essential mailbox but one which you are able to assess the impact, and maybe verify over a period of time that you get no related permissions errors in the event log.
0
 
PYThePorkpieCommented:
How are your users connecting to their mailboxes? If they are using RDP from a home computer for instance then that would be considered a Remote Interactive logon and if thats how they access e-mail it may be nothing to worry about. i checked our users and none of them have that right bit they use outlook or OWA only via LAN or VPN not RDP
0
 
TheGeezer2010Commented:
It is my understanding that the users are added dynamically to this group, and therefore removed once the RDP session is closed down. For this group to have these permissions on your mailboxes, I would suspect that an application has been installed which adds this, but it could be that this is created when users use TS to access their Exchange MBXs - maybe someone with this configuration can confirm/deny this ? Do your own users access via TS ?

The last thing I would check is what accounts are members of this group - this may well give you a clue as to why it has the Full Control on all mailboxes ?

Hope this is useful
0
 
nav2567Author Commented:
Guys, is there a way to log when an account is being added to permission of a mailbox?
0
 
TheGeezer2010Commented:
General mailbox auditing :-

http://technet.microsoft.com/en-us/library/ff459237.aspx

This is fyi as it will not tell you about any changes to permissions - you will need to set up auditing through AD for this. You can also set up a PS script to e-mail you in the event of any changes.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now