Default (or hardened) mailbox permissions for Exchange 2003
I need help! My consultant converted us to Exchange 2003 (with MS Server/AD) from Groupwise. I have just discovered that all users can open another's Inbox without any delegation or special user-level permissions. I would like to fix the default permissions and correct the current mailboxes so that only the owner can view his/her Inbox, and any Admins do not have access to any Inboxes (as I believe is the stated default for permissions). I do have Public Folders, Journals, Calendars andContactsthat should be open to alland controlled via the Outlook client-side (but that is secondary to thew Inbox problem). All personal mail folders were converted from Groupwise into a folder called "Cabinet" which should be private also (important). Please help??? My current permissions for "Exchange Advanced -> Mailbox Rights" under Properties for the user are; Anonymous Logon: Allow - Read Permission, Deny - Read Permission, Deny - Full Mailbox Access Domain Admins: Deny - Full Mailbox Access Domain Users: Allow - Delete Mailbox Storage, Allow - Read Permissions, Allow - Change Permissions, Allow - Take Ownership, Allow - Full Mailbox Access. Enterprise Admins:Allow - Delete Mailbox Storage, Allow - Read Permissions, Allow - Change Permissions, Allow - Take Ownership, Allow - Full Mailbox Access, Deny - Full Mailbox Access. Everyone: Allow - Read Permissions Exchange Domain Servers: Allow - Delete Mailbox Storage, Allow - Read Permissions, Allow - Change Permissions, Allow - Take Ownership, Allow - Full Mailbox Access, Deny - Full Mailbox Access. exchangeservername: Allow - Delete Mailbox Storage, Allow - Read Permissions, Allow - Change Permissions, Allow - Take Ownership, Allow - Full Mailbox Access. These buttons are greyed out and cannot be changed at the user level. I get the error message when I try to change or delete the value about it cannot be changed because it is "inheriting permsissions from its parent and cannot be changed". What are the default (accepted) permissions for "Mailbox Rights"?
February 19th, 2008 9:07pm

Hi, The problem is that the domain users have permissions - they shouldn't have any (I just doublechecked at an exchange 2003 installation I am working on). Try to remove thsi group from one mailbox and see if it works as expected. If it does you should be able to remove this permission on the server itself. Leif
Free Windows Admin Tool Kit Click here and download it now
February 19th, 2008 10:21pm

I'm haveing a similar issue, but understand that he cannot remove that group if it's permissions are inherted without turning off the inheritance first. My permissions appear to be the same except that my Everyone group has "special permissions" set and it has Read/Execute/Read permissions/LIst contents/List object selected. I'm tempted to remove the inheritance at the next to top level, set it to copy the permissions and work with them that way. I suspect that if it bombed on me I could turn the inheritance back on and it would reset all the permissions to what they were. At least those that are inherited. Let me know if you guys find anymore information. Thank you, Rob
February 22nd, 2008 5:27pm

Sucsess!! Wanted to let you know that removing the Inherited permissions at the Mailbox Store level did the trick. You need to do that and then remove the Domain Users group as stated in previously. Also check the Advanced tab to make sure that the everyone group does not have any "special permissions" set as mine did. Now without the user setting permissions for delagates in outlook, no one can see others boxes. As always though, document what you change so that if need arrises you can revert to old settings. Good luck, Rob
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2008 6:22pm

yes, this worked as users cannot see other's Inbox (mailboxes) now. However, users can no longer see other's Calendar. I cannot set the permissions in Outlook client either as it states "The Delegates settings were not saved correctly. Unable to modify access control list. You do not have sufficient permission to perform this operation on this object." Users should be able to check other's Calendar, especially whether the user is "Busy" or not?
March 17th, 2008 10:27pm

I need Help ! how todeny anonymous domain users can block other users OWA , bcozone domain user can access other users mail through owa with out password, Please help me
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2009 11:06am

Noushad you need to check the same level of permission as discussed in this thread. Do you know if they can access others mailboxes using outlook? Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|
July 16th, 2009 11:57am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics