Been about two months now running Exchange 2010 SP1 from Exchange 2003. Just discovered that everyone has access to everyone elses mailbox. Every user under Manage Full Access Permission contains: Everyone DOMAIN\Exch Servers DOMAIN\Exch Trusted Subsystem NT AUTHORITY\Authenticated Users NT AUTHORITY\SELF NT AUTHORITY\SYSTEM If I remove everyone "OR" authenticated users from a user then that user can no longer access their mailbox. I suspect EMC isn't giving me the full picture. In 2003 there was an area to see ALL security on a mailbox, both allow and deny. Where is that in 2010? Clearly something is just not being inherited correctly. There was never an "everyone" on all mailboxes in my 2003. Any ideas? I'd greatly appreciate any response. Thanks!

HI JEmlay, Please, use the tab Security in Active Directory Users and Computers to see the permissions on the accounts. Regards Rafael Okamoto

Everything is tied into there now? No more sperate rights? Everyone SELF Authenticated Users SYSTEM NETWORK SERVICE Exchange Server Exchange Trusted Subsystem Exchange Windows Permissions Domain Admins Cert Publishers Enterprise Admins RAS and IAS Servers Administrators Account Operators Pre-Windows 2000 Compatibility Access Windows Authorization Access Group Terminal License Servers If I create a new mailbox it inherits the same permissions listed in my first post. I'm don't see anything being given DENY permissions yet I know that the Domain Admins should specificly has certain deny rights, correct? At any rate, if I remove all entries in Full Access Permissions and add back just SELF, the user can not access the mailbox. No one can at that point. EDIT: I removed each of the items in Full Permissions (EMC) one by one. Since only putting SELF in there was not good. Come to find out the ONLY WAY my mailboxes will work is if I have BOTH "everyone" and "Authenticated Users" in there. I'm at a lose as to how to work backwards from here. I was hoping to find an answer in the user accounts security but I see nothing odd there. So the new question is, why do my mailboxes only work if they contain both EVERYONE and AUTHENTICATED USERS? If I remove those and give anyone else access, it wont work. Any ideas?

Hi, Try to create a new mailbox database. then create a new user in this new mailbox database. What's result? Does the issue persist? The problem should be caused by the incorrect permission settings on your organization. Please follow these steps to check the permission settings: 1. On DC, run ADSIEdit. Right click ADSIEdit and choose connect to. In "Select a well known Naming context", select Configuration. 2. Right click [CN=Configuration,dc=domain,dc=com], In Security tab, make sure that there is no Everyone under the "Group or user names" list. Also check the [CN= Configuration,dc=domain,dc=com;cn=services] and [CN= Configuration,dc=domain,dc=com;cn=services;cn=Microsoft exchange server], make sure there is no Everyone group. 3. Expand to [CN= Configuration,dc=domain,dc=com;CN=services;cn=Microsoft Exchange]. Right click CN=First Organization and choose properties. 4. In security tab, please check: a. It only has the following objects under the “Group or user names” list: Everyone, Authenticated Users, NETWOR SERVICE, Exchange Servers(Domain1\exchange servers), Exchange Organization administrators, Exchange View-only Administrators, Exchange Public Folder administrators, Exchange Trusted subsystem, Organization, Management, Public folder Management, delegated setup, Administrator, Domain Admins, Schema Admins. Enterprise Admin, Anonymous Logon. If there’s any unknown SIDs, such as S-1-0-111110~, please remove it. b. Everyone only has the following allow permission checked: “Create named properties in the information store”, “Create public folder”, “Special permission.” c. Authenticated users only has the following allow permission checked: “Special permission.”

Thanks so much for your reply Gen! Creating a new mailbox database didn't change anything. 2. I don't seem to have [CN= Configuration,dc=domain,dc=com;cn=services;cn=Microsoft exchange server]. But everything else checks out. 4a. In addition to your list I have SYSTEM. Should I delete it? Also, I do not have Exchange Public Folder Administrators 4b. 'Everyone' also had Read, Write, Receive As and Send As. I removed those. However it does not have special permissions. Can I get a list of which special permissions it should have? 4c. Authenticated users had the same setup at Everyone so I removed the extra. However this one DID have the special permissions.

Hi, I have the same issue. Any news about how to solve it?

Same problem here. The situation is exactly the same, except we don't have "everyone" listed in the full access control, in the EMC. We only have "Authenticated users" - but for all the remaining details, the problem looks the same. Users can have access to anybody elses' mailbox; Mailbox is not accessible to user if "Authenticated users" is removed from full access control list. Tried creating a different OU, or removing inherited access permissions from mailbox manually, this didn't help either.

Any solution to the problem above?

Any solution to the problem above? I can't believe nobody has an answer to this yet. All the threads I see about this problem just eventually end with a post like this, people left wondering what the fix is for this. I've triple checked everything and compared to another 2010 install. Everything I can see matches, except this, but if I remove authenticated users, nobody can access mailboxes.

You need to fix the permissions using ADSIEDIT. [CN= Configuration,dc=domain,dc=com;cn=services;cn=Microsoft exchange right click microsoft exchange, properties, security tab click advanced. everyone should have create named properties in info store create public folder list contents read all properties read permissions Authenticated users have Deny on read msexchavailabilityuserpassword allow read all properties Make sure everyone and auth users do not have receive as rights on the org level all the way down to the database level.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com