Been about two months now running Exchange 2010 SP1 from Exchange 2003. Just discovered that everyone has access to everyone elses mailbox. Every user under Manage Full Access Permission contains: Everyone DOMAIN\Exch Servers DOMAIN\Exch Trusted Subsystem NT AUTHORITY\Authenticated Users NT AUTHORITY\SELF NT AUTHORITY\SYSTEM If I remove everyone "OR" authenticated users from a user then that user can no longer access their mailbox. I suspect EMC isn't giving me the full picture. In 2003 there was an area to see ALL security on a mailbox, both allow and deny. Where is that in 2010? Clearly something is just not being inherited correctly. There was never an "everyone" on all mailboxes in my 2003. Any ideas? I'd greatly appreciate any response. Thanks!

HI JEmlay, Please, use the tab Security in Active Directory Users and Computers to see the permissions on the accounts. Regards Rafael Okamoto

Everything is tied into there now? No more sperate rights? Everyone SELF Authenticated Users SYSTEM NETWORK SERVICE Exchange Server Exchange Trusted Subsystem Exchange Windows Permissions Domain Admins Cert Publishers Enterprise Admins RAS and IAS Servers Administrators Account Operators Pre-Windows 2000 Compatibility Access Windows Authorization Access Group Terminal License Servers If I create a new mailbox it inherits the same permissions listed in my first post. I'm don't see anything being given DENY permissions yet I know that the Domain Admins should specificly has certain deny rights, correct? At any rate, if I remove all entries in Full Access Permissions and add back just SELF, the user can not access the mailbox. No one can at that point. EDIT: I removed each of the items in Full Permissions (EMC) one by one. Since only putting SELF in there was not good. Come to find out the ONLY WAY my mailboxes will work is if I have BOTH "everyone" and "Authenticated Users" in there. I'm at a lose as to how to work backwards from here. I was hoping to find an answer in the user accounts security but I see nothing odd there.

Everything is tied into there now? No more sperate rights? Everyone SELF Authenticated Users SYSTEM NETWORK SERVICE Exchange Server Exchange Trusted Subsystem Exchange Windows Permissions Domain Admins Cert Publishers Enterprise Admins RAS and IAS Servers Administrators Account Operators Pre-Windows 2000 Compatibility Access Windows Authorization Access Group Terminal License Servers If I create a new mailbox it inherits the same permissions listed in my first post. I'm don't see anything being given DENY permissions yet I know that the Domain Admins should specificly has certain deny rights, correct? At any rate, if I remove all entries in Full Access Permissions and add back just SELF, the user can not access the mailbox. No one can at that point. EDIT: I removed each of the items in Full Permissions (EMC) one by one. Since only putting SELF in there was not good. Come to find out the ONLY WAY my mailboxes will work is if I have BOTH "everyone" and "Authenticated Users" in there. I'm at a lose as to how to work backwards from here. I was hoping to find an answer in the user accounts security but I see nothing odd there. So the new question is, why do my mailboxes only work if they contain both EVERYONE and AUTHENTICATED USERS? If I remove those and give anyone else access, it wont work. Any ideas?

Everything is tied into there now? No more sperate rights? Everyone SELF Authenticated Users SYSTEM NETWORK SERVICE Exchange Server Exchange Trusted Subsystem Exchange Windows Permissions Domain Admins Cert Publishers Enterprise Admins RAS and IAS Servers Administrators Account Operators Pre-Windows 2000 Compatibility Access Windows Authorization Access Group Terminal License Servers If I create a new mailbox it inherits the same permissions listed in my first post. I'm don't see anything being given DENY permissions yet I know that the Domain Admins should specificly has certain deny rights, correct? At any rate, if I remove all entries in Full Access Permissions and add back just SELF, the user can not access the mailbox. No one can at that point.

Hi, Try to create a new mailbox database. then create a new user in this new mailbox database. What's result? Does the issue persist? The problem should be caused by the incorrect permission settings on your organization. Please follow these steps to check the permission settings: 1. On DC, run ADSIEdit. Right click ADSIEdit and choose connect to. In "Select a well known Naming context", select Configuration. 2. Right click [CN=Configuration,dc=domain,dc=com], In Security tab, make sure that there is no Everyone under the "Group or user names" list. Also check the [CN= Configuration,dc=domain,dc=com;cn=services] and [CN= Configuration,dc=domain,dc=com;cn=services;cn=Microsoft exchange server], make sure there is no Everyone group. 3. Expand to [CN= Configuration,dc=domain,dc=com;CN=services;cn=Microsoft Exchange]. Right click CN=First Organization and choose properties. 4. In security tab, please check: a. It only has the following objects under the “Group or user names” list: Everyone, Authenticated Users, NETWOR SERVICE, Exchange Servers(Domain1\exchange servers), Exchange Organization administrators, Exchange View-only Administrators, Exchange Public Folder administrators, Exchange Trusted subsystem, Organization, Management, Public folder Management, delegated setup, Administrator, Domain Admins, Schema Admins. Enterprise Admin, Anonymous Logon. If there’s any unknown SIDs, such as S-1-0-111110~, please remove it. b. Everyone only has the following allow permission checked: “Create named properties in the information store”, “Create public folder”, “Special permission.” c. Authenticated users only has the following allow permission checked: “Special permission.”

Thanks so much for the reply Gen! Creating a new mailbox database did not change anything. 2. All that checked out. Except I'm not sure what you mean by [CN= Configuration,dc=domain,dc=com;cn=services;cn=Microsoft exchange server]. I don't seem to that have that object. I checked the Serivces object and it was ok. 4a. I do not have 'Exchange Public Folder Administrators. In addition to your list I DO have SYSTEM in that list. Should I remove that? 4b. Everyone also had Read, Write, Receive As and Send As. I removed those. However, it is missing the special permissions. Can I get a run down of which ones it needs from you? I assume there's some denies in there that I'm missing. 4c. Authenticated Users also had read, write, receive as and send as and I removed those as well. It does have the special permissions. After making these machines I restarted the exchange box. Created a new user. Removed Everyone and Authenticated Users leaving SELF, Exchange Servers, ETS and SYSTEM. The user no longer had access to the mailbox.

Thanks so much for your reply Gen! Creating a new mailbox database didn't change anything. 2. I don't seem to have [CN= Configuration,dc=domain,dc=com;cn=services;cn=Microsoft exchange server]. But everything else checks out. 4a. In addition to your list I have SYSTEM. Should I delete it? Also, I do not have Exchange Public Folder Administrators 4b. 'Everyone' also had Read, Write, Receive As and Send As. I removed those. However it does not have special permissions. Can I get a list of which special permissions it should have? 4c. Authenticated users had the same setup at Everyone so I removed the extra. However this one DID have the special permissions.