Areas to adjust mailbox permissions
So I have an issue with users having too many rights to other users' mailboxes. It's not universal, but I'm not sure on what layer the permissions are being set at.
Initially I was just focused on one user having access to another user's mailbox and whated to put a stop to it. Initially I adjusted the full access permissions on Exchange. That's were I tend to set these sort of permissions up. I rmeoved the user and thought that would resolve. it did not. I thought maybe slow replication, forced replication and issue remained.
Setup my sessions outlook profile for both users and logged into outlook as both. I checked the source user and her sharing permissions. Default was setup to reviewer which i removed. but this again did not resolve the issue.
I verified settings with another high level user which I knew others should not have access. To my surprise when i did some baseline testing to make sure my testing methods were sound, they failed. They had access to this secure user, which they should not. I double checked her sharing permissions as well as the exchange permissions and they are both restricted.
Checked a brand new user who was just setup, and they can all access this mailbox as well. No custom permissions with this new account.
I checked some of the executives and surprisingly, most of them are secure and the users could not gain access, but not all.
There is some other level of security at play here. I'm looking for ideas on what may need to be adjusted to gain back my mailbox security. If users need access to other users' mailboxes i want to maintain that in the Exchange full access permissions ideally.
Thanks for your help.
Initially I was just focused on one user having access to another user's mailbox and whated to put a stop to it. Initially I adjusted the full access permissions on Exchange. That's were I tend to set these sort of permissions up. I rmeoved the user and thought that would resolve. it did not. I thought maybe slow replication, forced replication and issue remained.
Setup my sessions outlook profile for both users and logged into outlook as both. I checked the source user and her sharing permissions. Default was setup to reviewer which i removed. but this again did not resolve the issue.
I verified settings with another high level user which I knew others should not have access. To my surprise when i did some baseline testing to make sure my testing methods were sound, they failed. They had access to this secure user, which they should not. I double checked her sharing permissions as well as the exchange permissions and they are both restricted.
Checked a brand new user who was just setup, and they can all access this mailbox as well. No custom permissions with this new account.
I checked some of the executives and surprisingly, most of them are secure and the users could not gain access, but not all.
There is some other level of security at play here. I'm looking for ideas on what may need to be adjusted to gain back my mailbox security. If users need access to other users' mailboxes i want to maintain that in the Exchange full access permissions ideally.
Thanks for your help.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Subsun, when running your commands I get no output.
Hope you have replaced domain\user with the account which your user details. If yes the permissions are not assigned at server or database level.
Probably the permissions are assigned at user level.. Following commands will show you what permissions TEST\Administrator have on subsun's mailbox..
Probably the permissions are assigned at user level.. Following commands will show you what permissions TEST\Administrator have on subsun's mailbox..
Get-Adpermission -identity subsun | ? {$_.User -like "TEST\Administrator"}
Get-mailboxpermission -identity subsun | ? {$_.User -like "TEST\Administrator"}ASKER
Subsun, yes I replaced domain\user with the proper info. I'll try your new commands.
Interesting sidenote. To date the majority of my testing has come from logging into my own machine as administrator and then creating an outlook profile for each user I want to test their permissions.
I have actually gone to users' local machines and verified the issue I described above. However, most times when I make a change and then test it, I'm doing so at my own machine, logged in as admin, and under an Outlook profile I created for them.
The reason I bring this up is I just sent a user(we'll call her Courtney) instructions for adding an additional mailbox of another user(we'll call her Sarah). She got the instructions and was able to add the mailbox but asked for permissions as she cant open Sarah's mailbox. Given all the resent troubles with mailbox access I decided to test it.
As usual I'm logged into my machine as admin and setup an Outlook profile for Courtney. I added the additional mailbox(Sarah's mailbox), only I WAS able to access it.
So I guess this begs the question are my testing procedures flawed? When, in AD, I'm logged onto my machine with the domain admin credentials and I create an Outlook profile for a different user to test their permissions level, am I really testing their permission level or that of the domain admin?
Interesting sidenote. To date the majority of my testing has come from logging into my own machine as administrator and then creating an outlook profile for each user I want to test their permissions.
I have actually gone to users' local machines and verified the issue I described above. However, most times when I make a change and then test it, I'm doing so at my own machine, logged in as admin, and under an Outlook profile I created for them.
The reason I bring this up is I just sent a user(we'll call her Courtney) instructions for adding an additional mailbox of another user(we'll call her Sarah). She got the instructions and was able to add the mailbox but asked for permissions as she cant open Sarah's mailbox. Given all the resent troubles with mailbox access I decided to test it.
As usual I'm logged into my machine as admin and setup an Outlook profile for Courtney. I added the additional mailbox(Sarah's mailbox), only I WAS able to access it.
So I guess this begs the question are my testing procedures flawed? When, in AD, I'm logged onto my machine with the domain admin credentials and I create an Outlook profile for a different user to test their permissions level, am I really testing their permission level or that of the domain admin?
You need to use Courtney's credentials to login to the computer and test the access..
Also you can try by opening Courtney's outlook profile with her credentials from your user profile. But if you use your credential to open Courtney’s mailbox then your permission will get precedence.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sharing permissions can be set on the overall mailbox or the subfolders, like the most typical, the Inbox. I found that while I had locked down the mailbox, I neglected to look specifically if the Inbox had any additional share permissions set, which it did. Closing that eleiminated the loophole.
that gives you a start to seeing the permissions