Hi I have a problem at the moment whereby my Windows AD account has full access permissions across all mailboxes on our Exchange 2007 mailbox servers. I used this account to build the servers, but I don't understand why my account would have full access permissions. I have been asked to remove these permissions by my Manager, but I can not see where these permissions are being inherited from. I have checked in the Exchange Management console, the legacy Exchange System Manager tool, ADUC and ADSI Edit, yet I can not see where these permissions are coming from. Has anyone got any ideas where else I can look, to remove these permissions? Regards Richard

Check the groups your account is a member of. I think Exchange Domain Servers gives the same access. I have a note here that says to check that, but I haven't tested it myself. How are you testing whether the permissions have gone? Are you actually seeing the "Full Mailbox" permission, or just seeing if you can access any mailbox? If the latter, remember that Exchange caches permissions, so any change can take two hours to be fully effective. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

thanks for the reply. I have checked to see the groups my account is a member of and it is not a member of the Exchange Domain Servers group. The permissions themselves do not grant me access to the mailboxes because I must have a deny permission somewhere. I can remove the full access permissions on a per mailbox basis, but when new mailboxes are created the permission is set again so it must be inheriting from somewhere. The Full Access permissions are set regardless of mailbox store, Storage group or mailbox server, so it is being inherited from quite high up the Organisation tree. Any other thoughts?

Hi, Could you please try this command? Get-mailboxpermission –identify “your account” |fl Found out those permission which attribute of “isinherited” is true. Then run this command to remove the permission Remove-mailboxpermission –Identify “youraccount” -accessrights fullaccess –inheritancetype all. More information about Add-MailboxPermission http://technet.microsoft.com/en-au/library/bb124097(EXCHG.80).aspx Get-MailboxPermission http://technet.microsoft.com/en-au/library/aa998218(EXCHG.80).aspx Remove-MailboxPermission http://technet.microsoft.com/en-au/library/bb125153(EXCHG.80).aspx Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

sorry, but I'm not sure I understand what positive effect there is by running these cmdlets. I know how to look at the permissions on my account and I know how to remove all inheritied permssions, but how is then going to ensure my Full Access permissions across all Mailboxes are then removed?

A simply method is test if you can send email on behalf the user . Or you could try to modify his shared calendar permission. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.