utilize
asked on
Exchange 2007 Permissions - All users can open anyones mailbox in Outlook
Hello,
We are experiencing an issue at a clients site whereby any one user is able to open another users mailbox using the Add mailbox option under account settings.
This obviously poses a bit of a security risk.
I'm pretty sure the issue is likely to be permissions related but I cannot for the life of me find a permission setting that is causing the issue. (I've used ADSIEDIT and gone through the organisation structure).
Any pointers welcome!
We are experiencing an issue at a clients site whereby any one user is able to open another users mailbox using the Add mailbox option under account settings.
This obviously poses a bit of a security risk.
I'm pretty sure the issue is likely to be permissions related but I cannot for the life of me find a permission setting that is causing the issue. (I've used ADSIEDIT and gone through the organisation structure).
Any pointers welcome!
There are only two permissions that grant this - Full Mailbox and Receive As.
Look for who has Full Mailbox as outlined above. You will need to look at Receive As through ADUC.
I expect it will be a group, probably a regular group, which has the permissions. Domain Admins would require a lot of permission undoing (not that it cannot be done).
Simon.
Look for who has Full Mailbox as outlined above. You will need to look at Receive As through ADUC.
I expect it will be a group, probably a regular group, which has the permissions. Domain Admins would require a lot of permission undoing (not that it cannot be done).
Simon.
ASKER
If I look at a user whose mailbox I can open, from a standard user, there is no non-standard permissions that I can see. The only groups with full access/receives as are as follows:
FULL & RECEIVE:
SYSTEM
DOMAIN ADMINS
ENTERPRISE ADMINS (INHERITED)
ACCOUNT OPERATORS
The account I'm logging into to open the mailbox is not a member of any of the above groups.
Full Mailbox Access is not set through EMC for the user. (This is done on an individual basis, right?)
FULL & RECEIVE:
SYSTEM
DOMAIN ADMINS
ENTERPRISE ADMINS (INHERITED)
ACCOUNT OPERATORS
The account I'm logging into to open the mailbox is not a member of any of the above groups.
Full Mailbox Access is not set through EMC for the user. (This is done on an individual basis, right?)
Full Mailbox is usually set on an individual basis, but on this version of Exchange it can also be set at a database and server level.
You have to look in various locations for the permissions.
For example, if you wanted to give an account Receive As, at the server level, you would run this command:
Get-mailboxserver | add-adpermission -user "Account" -accessrights extendedRight -extendedrights Receive-As
Before you can remove the permission though you need to establish what group has it.
Simon.
You have to look in various locations for the permissions.
For example, if you wanted to give an account Receive As, at the server level, you would run this command:
Get-mailboxserver | add-adpermission -user "Account" -accessrights extendedRight -extendedrights Receive-As
Before you can remove the permission though you need to establish what group has it.
Simon.
ASKER
I have run through a bunch of the commands found here:
http://blogs.msdn.com/b/deva/archive/2012/04/16/exchange-server-2007-2010-how-to-query-user-mailboxes-its-permissions-using-exchange-powershell.aspx
Against the mailbox database/server and individual users.
There are no groups out of the ordinary that have receive-as or fullaccess for a user whose mailbox can be opened by anyone.
http://blogs.msdn.com/b/deva/archive/2012/04/16/exchange-server-2007-2010-how-to-query-user-mailboxes-its-permissions-using-exchange-powershell.aspx
Against the mailbox database/server and individual users.
There are no groups out of the ordinary that have receive-as or fullaccess for a user whose mailbox can be opened by anyone.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From the domain root in the AD environment does "domain users" have Full Access / inheritance over the domain? It is most likely an inheritance issue. I would start there first.
Select a single user in Active Directory and check the security settings tab>Advance Security. From there click the edit button and see what groups/users have been granted full access.
Once you have found this out go to the OU level of that user and see if it has been inherited. Then go to the root of the domain and check the settings again.
Will.