• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 293
  • Last Modified:

Exchange 2007 Permissions - All users can open anyones mailbox in Outlook


We are experiencing an issue at a clients site whereby any one user is able to open another users mailbox using the Add mailbox option under account settings.

This obviously poses a bit of a security risk.

I'm pretty sure the issue is likely to be permissions related but I cannot for the life of me find a permission setting that is causing the issue. (I've used ADSIEDIT and gone through the organisation structure).

Any pointers welcome!
  • 3
  • 2
1 Solution
Will SzymkowskiSenior Solution ArchitectCommented:
In Exchange Management Console is there a group like domain users associated with Full Mailbox Access?

From the domain root in the AD environment does "domain users" have Full Access / inheritance over the domain? It is most likely an inheritance issue. I would start there first.

Select a single user in Active Directory and check the security settings tab>Advance Security. From there click the edit button and see what groups/users have been granted full access.

Once you have found this out go to the OU level of that user and see if it has been inherited. Then go to the root of the domain and check the settings again.

Simon Butler (Sembee)ConsultantCommented:
There are only two permissions that grant this - Full Mailbox and Receive As.
Look for who has Full Mailbox as outlined above. You will need to look at Receive As through ADUC.
I expect it will be a group, probably a regular group, which has the permissions. Domain Admins would require a lot of permission undoing (not that it cannot be done).

utilizeAuthor Commented:
If I look at a user whose mailbox I can open, from a standard user, there is no non-standard permissions that I can see. The only groups with full access/receives as are as follows:


The account I'm logging into to open the mailbox is not a member of any of the above groups.

Full Mailbox Access is not set through EMC for the user. (This is done on an individual basis, right?)
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Simon Butler (Sembee)ConsultantCommented:
Full Mailbox is usually set on an individual basis, but on this version of Exchange it can also be set at a database and server level.
You have to look in various locations for the permissions.

For example, if you wanted to give an account Receive As, at the server level, you would run this command:

Get-mailboxserver | add-adpermission -user "Account" -accessrights extendedRight -extendedrights Receive-As

Before you can remove the permission though you need to establish what group has it.

utilizeAuthor Commented:
I have run through a bunch of the commands found here:


Against the mailbox database/server and individual users.

There are no groups out of the ordinary that have receive-as or fullaccess for a user whose mailbox can be opened by anyone.
Simon Butler (Sembee)ConsultantCommented:
The two permissions I have outlined are the only way that the permission is granted, you just need to establish where and to what group.

It may mean that you have to take a user who can open any mailbox and start removing group membership until the problem goes away. The problem with doing that is Exchange caches permissions for two hours, so a change isn't effectively immediately.

The permission is there somewhere, and if it applies to all users then it has to be a group that everyone is a member of, or has been granted to Everyone or similar.

Don't just look at the mailbox for the permission, you also need to look at the databases and the server.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now