We have an Exchange 2010 environment that seems to have some unwanted permission problems.

To explain, If I create 2 new users USER-A and USER-B (just standard domain users with mailboxes) they instantly have the ability to add each others mailbox to their own outlook client and view and delete each others objects. 

I have checked the full access permissions for both the users and I cant see any groups there that would have granted the permission. For this test I even created a new mailbox database on one of the servers in case it was a permission set at the database level. It looks like the permission is being granted at a higher level somewhere. 

I know the "receive as" permission also has the ability to grant this type of access, but I'm not sure how to check this permission. 

Can someone help identify where 2 new users might have picked up this permission to open and view other mailboxes?

Thanks in advance 

Hi,

From your description, I recommend you use the following cmdlet to verify who have permissions to the mailbox datebase at first. And then check if new users are members of these listed groups.

Get-ADPermission -Identity "Mailbox Database identity" |ft user,accessrights

Hope this can be helpful.

Best regards,

Thank you,

After running the command you suggested, the only group that is a concern to me is Everyone. Apart from this group the users are only members of Domain Users which is not listed anywhere. 

The Everyone group has the following permissions

{ExtendedRight}{GenericRead}{CreateChild, ListChildren, ReadProperty, GenericWrite}

Could this be the issue?   

Just to update this thread, 

The problem was to do with Authenticated Users having being given FULL ACCESS at the organisation and server level. Once that permission was cut back to what was required the problem was solved

 

• Marked as answer by gblue 4 hours 10 minutes ago