Solved

Areas to adjust mailbox permissions

Posted on 2013-01-02
10
297 Views
Last Modified: 2013-01-16
So I have an issue with users having too many rights to other users' mailboxes.  It's not universal, but I'm not sure on what layer the permissions are being set at.  

Initially I was just focused on one user having access to another user's mailbox and whated to put a stop to it.  Initially I adjusted the full access permissions on Exchange.  That's were I tend to set these sort of permissions up.  I rmeoved the user and thought that would resolve.  it did not.  I thought maybe slow replication, forced replication and issue remained.

Setup my sessions outlook profile for both users and logged into outlook as both.  I checked the source user and her sharing permissions.  Default was setup to reviewer which i removed.  but this again did not resolve the issue.

I verified settings with another high level user which I knew others should not have access.  To my surprise when i did some baseline testing to make sure my testing methods were sound, they failed.  They had access to this secure user, which they should not.  I double checked her sharing permissions as well as the exchange permissions and they are both restricted.

Checked a brand new user who was just setup, and they can all access this mailbox as well.  No custom permissions with this new account.

I checked some of the executives and surprisingly, most of them are secure and the users could not gain access, but not all.

There is some other level of security at play here.  I'm looking for ideas on what may need to be adjusted to gain back my mailbox security.  If users need access to other users' mailboxes i want to maintain that in the Exchange full access permissions ideally.

Thanks for your help.
0
Comment
Question by:tw525
  • 4
  • 4
  • 2
10 Comments
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 100 total points
ID: 38738232
they can get applied in 3 different ways
Database level
Mailbox Level
AD level

the first two you will be able to see from "Manage full access permissions"
If they have been set at the database level they will propagate down and would be on all mailboxes so probably not that level

AD level permissions can be seen from Exchange powershell and from some you can see through outlook by looking at the mailbox permissions there
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 38738241
http://exchangeserverpro.com/list-users-access-exchange-mailboxes
that gives you a start to seeing the permissions
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 400 total points
ID: 38739866
Run following commands to check if the user have permission at server level or database level..
get-exchangeserver | Get-ADPermission -user "domain\user" 
Get-MailboxDatabase | Get-ADPermission -user "domain\user"

Open in new window


If you are able to find the permission for user then you can use following commands to remove the it.

For Server
Get-ExchangeServer | Remove-ADPermission -user "domain\user" -AccessRights GenericAll

Open in new window

For database
Get-MailboxDatabase | Remove-ADPermission -user "domain\user" -AccessRights GenericAll

Open in new window

0
 
LVL 1

Author Comment

by:tw525
ID: 38744592
Subsun, when running your commands I get no output.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38745262
Hope you have replaced domain\user with the account which your user details. If yes the permissions are not assigned at server or database level.

Probably the permissions are assigned at user level.. Following commands will show you what permissions TEST\Administrator have on subsun's mailbox..
Get-Adpermission -identity subsun | ? {$_.User -like "TEST\Administrator"}
Get-mailboxpermission -identity subsun | ? {$_.User -like "TEST\Administrator"}

Open in new window

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:tw525
ID: 38751479
Subsun, yes I replaced domain\user with the proper info.  I'll try your new commands.

Interesting sidenote.  To date the majority of my testing has come from logging into my own machine as administrator and then creating an outlook profile for each user I want to test their permissions.  

I have actually gone to users' local machines and verified the issue I described above.  However, most times when I make a change and then test it, I'm doing so at my own machine, logged in as admin, and under an Outlook profile I created for them.

The reason I bring this up is I just sent a user(we'll call her Courtney) instructions for adding an additional mailbox of another user(we'll call her Sarah).  She got the instructions and was able to add the mailbox but asked for permissions as she cant open Sarah's mailbox.  Given all the resent troubles with mailbox access I decided to test it.

As usual I'm logged into my machine as admin and setup an Outlook profile for Courtney.  I added the additional mailbox(Sarah's mailbox), only I WAS able to access it.

So I guess this begs the question are my testing procedures flawed?  When, in AD, I'm logged onto my machine with the domain admin credentials and I create an Outlook profile for a different user to test their permissions level, am I really testing their permission level or that of the domain admin?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38751715
You need to use Courtney's credentials to login to the computer and test the access..
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38752020
Also you can try by opening Courtney's outlook profile with her credentials from your user profile. But if you use your credential to open Courtney’s mailbox then your permission will get precedence.
0
 
LVL 1

Accepted Solution

by:
tw525 earned 0 total points
ID: 38768686
I found the issue.  I was checking permissions at the top level Mailbox, but not checking permissions set specifically on the inbox.  I found the loophole there and was able to correct and block users from opening undesired mailboxes.

Thanks for your help gentlemen!
0
 
LVL 1

Author Closing Comment

by:tw525
ID: 38782012
Sharing permissions can be set on the overall mailbox or the subfolders, like the most typical, the Inbox.  I found that while I had locked down the mailbox, I neglected to look specifically if the Inbox had any additional share permissions set, which it did.  Closing that eleiminated the loophole.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Outlook Free & Paid Tools
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now