Some users can Access ANY Mailbox without any permission. (big defect)
Hello,Many users in our company can access any other mailbox folder; they can access any Inbox, any calendar, any Task Folder, any Sent item ..... We have exchange 2007 and Active directory 2003. the exchange DB has 4 SG, they can access any other mailbox in any SG, they can modify, sent, delete even.They do not have any any permission on others mailbox, SG, exchange, or active directory. they are Normal users in (Domain Users grouo) only.Please help, this is breakneck issue ....
October 11th, 2009 2:48pm

Looks like you have certain permission issues at the top of the exchange organization or the AD. Check the membership of these users , are they part of any protected group (Administrators, ent admins etc). Was this happening for all the time or started happening recently. Try running EXBPA for any recent changes and for the changes in default settings.Raj
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2009 10:06am

You could also check access at the database level. How this might have been done is covered here:http://technet.microsoft.com/en-us/library/aa996343.aspxNeil Hobson, Exchange MVP
October 12th, 2009 11:09am

it seems that (permission issues at the top), regarding the group membership, the users are normal users in Domain Users group Only. and this issue happining at all the time.I run EXBPA, permission check, and no issue.
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2009 8:48am

thank you for the link,I found the users has "every one" in the list of (manage Full Access Permission) for all users.When I tried to remove "Every one" from some mailboxes, the user of that mailbox cannot log-in to OWA and he got the folloing error:----------------------RequestUrl: https://webmail.domainname.com:443/owa/default.aspxUser host address: xx.xx.xx.xx ExceptionException type: Microsoft.Exchange.Data.Storage.ConnectionFailedTransientExceptionException message: Cannot open mailbox /o=Company Name/ou=First Administrative Group/cn=Recipients/cn=user. Call stack Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry) Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry) Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString) Microsoft.Exchange.Data.Storage.MailboxSession.Initialize(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags) Microsoft.Exchange.Data.Storage.MailboxSession.CreateMailboxSession(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString) Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString) Microsoft.Exchange.Clients.Owa.Core.OwaWindowsIdentity.CreateMailboxSession(ExchangePrincipal exchangePrincipal, CultureInfo cultureInfo) Microsoft.Exchange.Clients.Owa.Core.UserContext.Load(OwaContext owaContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.CreateUserContext(OwaContext owaContext, UserContextKey userContextKey, UserContext& userContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext) System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) Inner ExceptionException type: Microsoft.Mapi.MapiExceptionLogonFailedException message: MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=1010) Diagnostic context: Lid: 18969 EcDoRpcExt2 called [length=943] Lid: 27161 EcDoRpcExt2 returned [ec=0x0][length=124][latency=0] Lid: 23226 --- ROP Parse Start --- Lid: 27962 ROP: ropLogon [254] Lid: 17082 ROP Error: 0x3F2 Lid: 26937 Lid: 21921 StoreEc: 0x3F2 Lid: 27962 ROP: ropExtendedError [250] Lid: 1494 ---- Remote Context Beg ---- Lid: 26426 ROP: ropLogon [254] Lid: 4740 StoreEc: 0x80070005 Lid: 30409 StoreEc: 0x80070005 Lid: 19145 StoreEc: 0x3F2 Lid: 23241 StoreEc: 0x3F2 Lid: 32186 Lid: 8620 StoreEc: 0x3F2 Lid: 1750 ---- Remote Context End ---- Lid: 26849 Lid: 21817 ROP Failure: 0x3F2 Lid: 26297 Lid: 16585 StoreEc: 0x3F2 Lid: 32441 Lid: 1706 StoreEc: 0x3F2 Lid: 24761 Lid: 20665 StoreEc: 0x3F2 Lid: 25785 Lid: 29881 StoreEc: 0x3F2 Call stack Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, Int32 ec, DiagnosticContext diagCtx) Microsoft.Mapi.ExRpcConnection.OpenMsgStore(OpenStoreFlag storeFlags, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, MapiStore msgStorePrivate, String& correctServerDn, ClientIdentityInfo clientIdentityAs, String userDnAs, String applicationId, CultureInfo cultureInfo) Microsoft.Mapi.ConnectionCache.OpenMapiStore(String mailboxDn, Guid mailboxGuid, Guid mdbGuid, ClientIdentityInfo clientIdentity, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId) Microsoft.Mapi.ConnectionCache.OpenMailbox(String mailboxDn, Guid mailboxGuid, Guid mdbGuid, WindowsIdentity windowsIdentityAs, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId) Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)------------------------------------------But when I returned the "every one" to the list of (manage Full Access Permission) , the user login to OWA immediately.
October 13th, 2009 8:52am

Hi,Please first remove the Full Access Permission from Everyone for the problematic mailboxes, then verify if Inheritance permission has been disabled. If the inheritance has been disabled, you need to re-enable it.Using ADSIEdit.msc navigate to the Exchange server object and view the Properties, switch to the Security tab and click Advanced, and sort the columns by "Name" and locate the entries for "Exchange Servers"Detemine if there are explicit Deny Exchange Servers settings (4) for the following rights:Store Constrained DelegationStore Read and Write AccessStore Read only AccessStore Transport AccessBy Default Exchange Servers will explictly be allowed these rights at the server level, but denied these rights at the Org level. The explicit Allow overrides the inherited Deny.Thus, please manually remove the explicit Deny Exchange Servers the above rights at the Exchange server object if it is Deny.After that, please check this issue.ThanksAllen
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2009 11:42am

Using ADSIEdit.msc navigate to the Exchange server object and view the Properties, Hi,Could you please till me what is the mean of Exchange server Object?Is it the "Server Name" of exchange DB role?For excample: CN=DB_Server_Name,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=XYZ Mail Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=org
October 13th, 2009 11:50am

Hi,Yes, that's the Server Name of Exchange DB role. (CN=DB_Server_Name,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=XYZ Mail Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=org).ThanksAllen
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2009 12:11pm

I manully removed the 4 rights for "Deny - Exchange Servers".I test after that by removing every one from my mailbox, but then I cannot access the email. once i return the everyone to (manage Full Access Permission) list, the mailbox come to be accessable.and the users still can access ANY MailBox.
October 13th, 2009 1:56pm

Hi,Please try to move one of the problematic user to another store, then check whether the user still has the permission to access others mailbox.ThanksAllen
Free Windows Admin Tool Kit Click here and download it now
October 15th, 2009 1:02pm

i have same issue. I can also see Deny Exchange Server settings for the ff rights when i looked at the security settings of CN=SERVERNAME Store Constrained Delegation Store Read and Write Access Store Read only Access Store Transport Access But is is inherited from the CN=First Organization, could i remove does deny settings from there?
October 21st, 2010 3:19am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics