Restricting access to an exchange mailbox
Currently everyone in our organisation can access everyone elses mailbox in outlook by going to File - Open - Other Users Folder. I'd like to know which permission allows this and where to change it
July 1st, 2009 10:03am
Check for inherited 'Receive As' permission on 'EveryOne' account starting from Exchange Organization and drill down up to mailbox database level with ADSIEdit.msc, path is given below. If you find it anywhere, remove 'Receive As' permission by untick on Allow checkbox.
Path: CN=Configuration,DC=Domain,DC=com ->Configuration ->Services ->Microsoft Exchange ->
Check in Security tab of all these one by one...
<Exchange ORG Name>
Administrative Groups
<Admin Group Name>
<Server Name>
<Storage Group Name>
<Mailbox Database Name>Amit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M |
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2009 10:29am
I agree with Amit, please check the permission in ADSIedit. As a supplement, there is no "receive as" permission in Informationstore and storage group level.
July 2nd, 2009 11:53am
Amit, thanks for that. I have gone into adsiedit and drilled down into the permissions on my mailbox. I found the everyone group and ticked deny on the 'receive as' permission, however the problem still remains. Funny that the everyone group is only present on my mailbox, not on any other level above that. Is there another path/section that I need to look at? Thanks so far. your help is appreciated.
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2009 6:03am
thanks for your help elvis, however the problem still remains
July 3rd, 2009 6:03am
Is there other group which contains lots of user or all users in your compan? If so, check these groups' permission in Adsiedit.
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2009 6:18am
Hey Elvis There is another users container which contains all of the user accounts in the company. I've gone into that one and had a look under the security tab, where I can see that there is an 'everyone' group, however the only permissions that are ticked within that group is the 'Allow - Change Password'. I thought I'd leave that permission alone, but still click 'Deny - Receive As'. I've done that on my account, however I can still easily open my account from a test account. This is kinda solution as yet
July 3rd, 2009 8:48am
which specific permissions allow users access to their own mailbox as well as allow them to send and receive email? thanks
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2009 8:56am
Access to their own mailbox is, I think Self Full Mailbox Rights (Mailbox AD ACL, Mailbox Rights in Exchange Advance tab) permission. Send/Receive As is also on Self but at AD ACL (Security Tab of user account).
Either Receive As permission in AD ACL on Exchange Org, Admin Group, Server or Database level (which you checked with ADSIEdit) or Full Mailbox access in Mailbox Rights (Mailbox AD ACL, Mailbox Rights in Exchange Advance tab) on each/individual user level can give Full mailbox access to any user. So you need find where user has anyone of these in your environment to give access to everybody...
You can also run ExBPA, which also reports certain permission issues...
Amit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M |
July 6th, 2009 9:26am