I have setup OWA on our SBS2003 server and just discovered the following: If i connect to https://mail.ourdomainname/exchange/ and login I get my mailbox which shows perfectly. If however I or another user then type in the address bar after the exchange/ another user's 'first.lastname/inbox' this other users inbox appears!?!? No mailbox rights have been set following the SBS install, so they are at default values. Surely this is a security issue?!?! e.g. If a user sends a private email to the MD with confidential info in it, anyone (who knows how) can read it. I have searched the web and cannot find anyone else reporting this issue and therefore cannot find a fix. I assume that this is a mailbox rights issue and upon checking discovered that the group 'everyone' has read permissions (inherited greyed out) on each mailbox and 'Authenticated Users' (again greyed) have basically all permissions. I have downloaded the ADModift.NET tool so I can change all users at the same time (as I have never used this tool before I would obviously test on one user first). Could anyone please shed some light on this issue? I assume I can just remove some permissions but as they are greyed where are they inheriting them from?? Also if ADModify.NET is a good way of doing this, I would be grateful if someone could provide a step by step so I dont select the wrong option and break the whole thing. I would like to retain being able to view shared calendars via the Outlook 2003 client. Many thanks, Paul.

On Thu, 12-Nov-09 10:56:48 GMT, VC91 wrote:sends a private email to the MD with confidential info in it, anyone (who knows how) can read it. I have searched the web and cannot find anyone else reporting this issue and therefore cannot find a fix. I assume that this is a mailbox rights issue and upon checking discovered that the group 'everyone' has read permissions (inherited greyed out) on each mailbox and 'Authenticated Users' (again greyed) have basically all permissions. I have downloaded the ADModift.NET tool so I can change all users at the same time (as I thanks, Paul. The "Read Permissions" doesn't mean they have permssion to read themailbox contents. It just means they can read the permissions. Leavethe Everyone group alone.The Authenticated Users group looks like the problem. Since thepermission is inherited there's no need to change it on every mailbox,just find the container that has that permission and Authenticated Users should have the "Read all properties" on theExchange organization (only on "this object), and be denied the "readmsexchavailabilityuserpassword" permission on msexchavailabiltyaddressspace objects. But when you get down to the permissions on a mailboxdatabase the group shouldn't even be in the list.Use ADSIEDIT and find where the Authenticated Users group was givenall those permissions and either remove the group or change the scopeof how the permissions are applied so they aren't inherited byeverything below the container.---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP