Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Areas to adjust mailbox permissions

Posted on 2013-01-02
10
Medium Priority
?
311 Views
Last Modified: 2013-01-16
So I have an issue with users having too many rights to other users' mailboxes.  It's not universal, but I'm not sure on what layer the permissions are being set at.  

Initially I was just focused on one user having access to another user's mailbox and whated to put a stop to it.  Initially I adjusted the full access permissions on Exchange.  That's were I tend to set these sort of permissions up.  I rmeoved the user and thought that would resolve.  it did not.  I thought maybe slow replication, forced replication and issue remained.

Setup my sessions outlook profile for both users and logged into outlook as both.  I checked the source user and her sharing permissions.  Default was setup to reviewer which i removed.  but this again did not resolve the issue.

I verified settings with another high level user which I knew others should not have access.  To my surprise when i did some baseline testing to make sure my testing methods were sound, they failed.  They had access to this secure user, which they should not.  I double checked her sharing permissions as well as the exchange permissions and they are both restricted.

Checked a brand new user who was just setup, and they can all access this mailbox as well.  No custom permissions with this new account.

I checked some of the executives and surprisingly, most of them are secure and the users could not gain access, but not all.

There is some other level of security at play here.  I'm looking for ideas on what may need to be adjusted to gain back my mailbox security.  If users need access to other users' mailboxes i want to maintain that in the Exchange full access permissions ideally.

Thanks for your help.
0
Comment
Question by:tw525
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 300 total points
ID: 38738232
they can get applied in 3 different ways
Database level
Mailbox Level
AD level

the first two you will be able to see from "Manage full access permissions"
If they have been set at the database level they will propagate down and would be on all mailboxes so probably not that level

AD level permissions can be seen from Exchange powershell and from some you can see through outlook by looking at the mailbox permissions there
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 38738241
http://exchangeserverpro.com/list-users-access-exchange-mailboxes
that gives you a start to seeing the permissions
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 1200 total points
ID: 38739866
Run following commands to check if the user have permission at server level or database level..
get-exchangeserver | Get-ADPermission -user "domain\user" 
Get-MailboxDatabase | Get-ADPermission -user "domain\user"

Open in new window


If you are able to find the permission for user then you can use following commands to remove the it.

For Server
Get-ExchangeServer | Remove-ADPermission -user "domain\user" -AccessRights GenericAll

Open in new window

For database
Get-MailboxDatabase | Remove-ADPermission -user "domain\user" -AccessRights GenericAll

Open in new window

0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Author Comment

by:tw525
ID: 38744592
Subsun, when running your commands I get no output.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38745262
Hope you have replaced domain\user with the account which your user details. If yes the permissions are not assigned at server or database level.

Probably the permissions are assigned at user level.. Following commands will show you what permissions TEST\Administrator have on subsun's mailbox..
Get-Adpermission -identity subsun | ? {$_.User -like "TEST\Administrator"}
Get-mailboxpermission -identity subsun | ? {$_.User -like "TEST\Administrator"}

Open in new window

0
 
LVL 1

Author Comment

by:tw525
ID: 38751479
Subsun, yes I replaced domain\user with the proper info.  I'll try your new commands.

Interesting sidenote.  To date the majority of my testing has come from logging into my own machine as administrator and then creating an outlook profile for each user I want to test their permissions.  

I have actually gone to users' local machines and verified the issue I described above.  However, most times when I make a change and then test it, I'm doing so at my own machine, logged in as admin, and under an Outlook profile I created for them.

The reason I bring this up is I just sent a user(we'll call her Courtney) instructions for adding an additional mailbox of another user(we'll call her Sarah).  She got the instructions and was able to add the mailbox but asked for permissions as she cant open Sarah's mailbox.  Given all the resent troubles with mailbox access I decided to test it.

As usual I'm logged into my machine as admin and setup an Outlook profile for Courtney.  I added the additional mailbox(Sarah's mailbox), only I WAS able to access it.

So I guess this begs the question are my testing procedures flawed?  When, in AD, I'm logged onto my machine with the domain admin credentials and I create an Outlook profile for a different user to test their permissions level, am I really testing their permission level or that of the domain admin?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38751715
You need to use Courtney's credentials to login to the computer and test the access..
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38752020
Also you can try by opening Courtney's outlook profile with her credentials from your user profile. But if you use your credential to open Courtney’s mailbox then your permission will get precedence.
0
 
LVL 1

Accepted Solution

by:
tw525 earned 0 total points
ID: 38768686
I found the issue.  I was checking permissions at the top level Mailbox, but not checking permissions set specifically on the inbox.  I found the loophole there and was able to correct and block users from opening undesired mailboxes.

Thanks for your help gentlemen!
0
 
LVL 1

Author Closing Comment

by:tw525
ID: 38782012
Sharing permissions can be set on the overall mailbox or the subfolders, like the most typical, the Inbox.  I found that while I had locked down the mailbox, I neglected to look specifically if the Inbox had any additional share permissions set, which it did.  Closing that eleiminated the loophole.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outlook for dependable use in a very small business   This article is about using the Outlook application (part of Microsoft Office) in a very small business, or for homeowners where dependability and reliability are critical requirements. This …
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question