Areas to adjust mailbox permissions

So I have an issue with users having too many rights to other users' mailboxes.  It's not universal, but I'm not sure on what layer the permissions are being set at.  

Initially I was just focused on one user having access to another user's mailbox and whated to put a stop to it.  Initially I adjusted the full access permissions on Exchange.  That's were I tend to set these sort of permissions up.  I rmeoved the user and thought that would resolve.  it did not.  I thought maybe slow replication, forced replication and issue remained.

Setup my sessions outlook profile for both users and logged into outlook as both.  I checked the source user and her sharing permissions.  Default was setup to reviewer which i removed.  but this again did not resolve the issue.

I verified settings with another high level user which I knew others should not have access.  To my surprise when i did some baseline testing to make sure my testing methods were sound, they failed.  They had access to this secure user, which they should not.  I double checked her sharing permissions as well as the exchange permissions and they are both restricted.

Checked a brand new user who was just setup, and they can all access this mailbox as well.  No custom permissions with this new account.

I checked some of the executives and surprisingly, most of them are secure and the users could not gain access, but not all.

There is some other level of security at play here.  I'm looking for ideas on what may need to be adjusted to gain back my mailbox security.  If users need access to other users' mailboxes i want to maintain that in the Exchange full access permissions ideally.

Thanks for your help.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

tw525Connect With a Mentor Author Commented:
I found the issue.  I was checking permissions at the top level Mailbox, but not checking permissions set specifically on the inbox.  I found the loophole there and was able to correct and block users from opening undesired mailboxes.

Thanks for your help gentlemen!
ChrisConnect With a Mentor Commented:
they can get applied in 3 different ways
Database level
Mailbox Level
AD level

the first two you will be able to see from "Manage full access permissions"
If they have been set at the database level they will propagate down and would be on all mailboxes so probably not that level

AD level permissions can be seen from Exchange powershell and from some you can see through outlook by looking at the mailbox permissions there
that gives you a start to seeing the permissions
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

SubsunConnect With a Mentor Commented:
Run following commands to check if the user have permission at server level or database level..
get-exchangeserver | Get-ADPermission -user "domain\user" 
Get-MailboxDatabase | Get-ADPermission -user "domain\user"

Open in new window

If you are able to find the permission for user then you can use following commands to remove the it.

For Server
Get-ExchangeServer | Remove-ADPermission -user "domain\user" -AccessRights GenericAll

Open in new window

For database
Get-MailboxDatabase | Remove-ADPermission -user "domain\user" -AccessRights GenericAll

Open in new window

tw525Author Commented:
Subsun, when running your commands I get no output.
Hope you have replaced domain\user with the account which your user details. If yes the permissions are not assigned at server or database level.

Probably the permissions are assigned at user level.. Following commands will show you what permissions TEST\Administrator have on subsun's mailbox..
Get-Adpermission -identity subsun | ? {$_.User -like "TEST\Administrator"}
Get-mailboxpermission -identity subsun | ? {$_.User -like "TEST\Administrator"}

Open in new window

tw525Author Commented:
Subsun, yes I replaced domain\user with the proper info.  I'll try your new commands.

Interesting sidenote.  To date the majority of my testing has come from logging into my own machine as administrator and then creating an outlook profile for each user I want to test their permissions.  

I have actually gone to users' local machines and verified the issue I described above.  However, most times when I make a change and then test it, I'm doing so at my own machine, logged in as admin, and under an Outlook profile I created for them.

The reason I bring this up is I just sent a user(we'll call her Courtney) instructions for adding an additional mailbox of another user(we'll call her Sarah).  She got the instructions and was able to add the mailbox but asked for permissions as she cant open Sarah's mailbox.  Given all the resent troubles with mailbox access I decided to test it.

As usual I'm logged into my machine as admin and setup an Outlook profile for Courtney.  I added the additional mailbox(Sarah's mailbox), only I WAS able to access it.

So I guess this begs the question are my testing procedures flawed?  When, in AD, I'm logged onto my machine with the domain admin credentials and I create an Outlook profile for a different user to test their permissions level, am I really testing their permission level or that of the domain admin?
You need to use Courtney's credentials to login to the computer and test the access..
Also you can try by opening Courtney's outlook profile with her credentials from your user profile. But if you use your credential to open Courtney’s mailbox then your permission will get precedence.
tw525Author Commented:
Sharing permissions can be set on the overall mailbox or the subfolders, like the most typical, the Inbox.  I found that while I had locked down the mailbox, I neglected to look specifically if the Inbox had any additional share permissions set, which it did.  Closing that eleiminated the loophole.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.