Hi, Our Help desk group in AD has rights to grant a customer access to another persons mailbox however after checking all groups they are a member of with a test account, I cannot locate where this permission is coming from. Could you please advise where I should be looking to prevent this as we do not want them to have this high level of access. What would be the cmdlet on the management shell to remove this? And what is the cmdlet for me to verify a users effective permissions. We are using Exchange 2007. Thankyou

Hi, “What would be the cmdlet on the management shell to remove this?” This example will remove user Test2's full access rights to user Test1's mailbox. Remove-MailboxPermission -Identity Test1 -User Test2 -AccessRight FullAccess -InheritanceType All “And what is the cmdlet for me to verify a user’s effective permissions.” You could run this command to view the permission. Get-mailboxpermission “test1” Or Get-mailboxpermission “test1” |fl More information about how to allow mailbox access http://technet.microsoft.com/en-us/library/aa996343(EXCHG.80).aspx Remove-MailboxPermission http://technet.microsoft.com/en-us/library/bb125153(EXCHG.80).aspxPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for responding Jerome. What I am actually after though is NOT how to view, grant or remove this access but more to stop someone from being able to grant this permission in the first place. For example, our Help Desk all have the ability to give themselves or another person full access to someone elses mailbox, along with changing the Send As permissions. Obviously in a large organisation where there are 45 Help Desk staff this is a possible security risk. So when I go to the Security Tab & go to the Effective Permissions a whole big list of objects comes up but we do not know which one controls the Mailbox Rights object under the Exchange Advanced tab of a users Property window. Perhaps it is not even here that I should be looking, that is the problem, I cannot tell where they are getting this access from. Anyway, if you can assist here, that would be greatly appreciated. Thanks Donna