Solved

Exchange 2013 mailbox permissions

Posted on 2013-05-15
5
6,457 Views
1 Endorsement
Last Modified: 2013-05-17
I have a brand new Exchange 2013 installation and trying to undertsand the concept of mailbox permissions a bit more.

My original goal was to have the Administrator user be able to have full access to all other user's mailboxes by default. This led to a rabbit hold of learning about Mailbox Permissions.

So when I run "Get-MailboxPermission -Identity jdoe", I get a table listing all of the permissions for that user. Example:

Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
abcd.local/jdoe     NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False
abcd.local/jdoe     ABCD\marybrown       {FullAccess}                                                False       False
abcd.local/jdoe     ABCD\administrator   {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Domain Admins   {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Enterprise A... {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Organization... {FullAccess}                                                True        True
abcd.local/jdoe     NT AUTHORITY\SYSTEM  {FullAccess}                                                True        False
abcd.local/jdoe     NT AUTHORITY\NETW... {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\administrator   {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Domain Admins   {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Enterprise A... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Organization... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Public Folde... {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\Delegated Setup {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\Exchange Ser... {FullAccess, ReadPermission}                                True        False
abcd.local/jdoe     ABCD\Exchange Tru... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False

Open in new window


Notice how in the table above, the second line shows that the user "marybrown" has been granted full access to "jdoe"'s mailbox? That's me granting full access rights to the marybrown user via Mailbox Delegation in EAC. The "IsInherited" column is set to FALSE because it's a permission for that specific mailbox.

Now I also see a handful of permissions where the DENY column is set to "true" - These columns are explicitly DENYING the Administrator, Domain Admins, Enterprise Admins etc. from acessing the mailbox. These columns have the "IsInherited" column set to TRUE.

I guess my question is:

1) Where did those "deny" permissions come from? What are they being inherited FROM? The database / organization? Where can I go to look at those permissions?

2) Can I turn some of those deny permissions off? I'd really like the "Administrator" user to be able to access everyone's mailbox

3) Can I add an inherited permission somehow? I'd really like to be able to create a Security Group which grants access to ALL mailboxes by having the permission be inherited by all mailboxes
1
Comment
Question by:Frosty555
  • 3
  • 2
5 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39171261
Don't use Administrator for access to all mailboxes. That is against best practises.
The best practise, which Exchange will enforce unless you undo a lot of settings, is that accounts in the protected groups (Administrator, Domain Admins Power Users etc) cannot have permissions to other mailboxes. Those will be get an inherited deny.

If you require an account to have access to all mailboxes (Which I personally don't think anyone needs other than a BES Admin account) then use a regular account that is not a member of the above groups and has permissions in Exchange.

You should be operating a split permissions model - where you personal account is a regular user and you have a seperate Domain Admin model.

You can add a group to the permissions structure, again I would use a specific group for the task that isn't a member of anything else.

Get-MailboxDatabase | Add-ADPermission -User "Group-Name" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

Receive As will give you permissions to open the mailbox content.

Don't try to undo the inherited permissions, as that will cause you nothing but problems.

Simon.
0
 
LVL 31

Author Comment

by:Frosty555
ID: 39173500
I ran into this forum post just as you posted as well:

http://serverfault.com/questions/453940/grant-full-mailbox-access-to-domain-admins-in-exchange-2010-including-all-new-m

The post above pretty clearly explains part (1) if what I was asking.

But it's clear you are suggesting that I *NOT* do exactly what is described in this article.... and for good reason I suppose. So there's my answer to part (2).

And the command you gave me sounds like the answer to (3) so I'll give that a try. I just have to realize that a Domain Admin or the Administrator account cannot be used for the purpose of opening other people's mailboxes.

The main reason for needing to do this right now is because we're in the middle of a migration from Google Apps, and after I finish importing all their mail from the old account I need to be able to go into their mailboxes and make sure everything came over properly, tweak if necessary etc.
0
 
LVL 31

Author Comment

by:Frosty555
ID: 39173518
Okay so I created a group, called "Full Mailbox Access", added my regular unprivileged account to that group, and ran the command you gave me. The results were:

User                : MYCOMPANY\Full Mailbox Access
Identity            : Mailbox Database 12341234
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : MYCOMPANY\Full Mailbox Access
Identity            : Mailbox Database 12341234
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All



.... but still no joy. If I login as my regular account to OWA, and then try to go to "Open Another Mailbox", I get a "MapiExceptionLogonFailed: Unable to open message store." error. This is the same error I get when I don't have sufficient access to a mailbox. If I were to go add myself to the "Full Access" list for that mailbox in ECP->Recipients->mailbox delegation->Full Access, I can access it just fine.

If I run the Get-MailboxPermission on one of my mailboxes, I don't see the "Full Mailbox Access" in the list.

Is there maybe somewhere else we need to add the permission to?
0
 
LVL 31

Author Comment

by:Frosty555
ID: 39173534
Nevermind, I just needed to restart the "Microsoft Exchange Information Store" service, the changes hadn't taken affect right away.

This was a helpful article, in particular, the "Using EMS method 2" section, and the big red disclaimer at the bottom that said to restart the Microsoft Exchange Information Store service

http://msundis.wordpress.com/2011/06/21/manage-full-access-permissions-on-mailboxes-in-exchange-2010/
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39174506
I am a little behind on my posts...
Exchange caches permissions. Therefore it can take two hours before a change is effective. Therefore it is best if you presume you don't have any permissions, check/change and then attempt access.

Restarting the information store flushes the cache - although with the disruption.

Simon.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now