• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

going back to original store permissions

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Information Stores >> going back to original store permissions Page: [1]
Login
Message << Older Topic   Newer Topic >>
going back to original store permissions - 8.Oct.2007 10:13:07 AM   
whoolly

 

Posts: 8
Joined: 15.Aug.2005
From: pa
Status: offline
Hello All,
I have inherited an Exchange 2003 SP2 server. By accident, I realized that I was able to look at any users email through OWA by going to the calendar, and then to their email. I need to remove this ability as it is a security risk. I looked at my account in AD and on the mailbox rights, the domain and enterprise admins have full access. I saw some literature that says that they should have deny. However, if I give them Deny, I can no longer get into my email via outlook, even though my account has full mailbox access.
Can anyone help me to restore the mailbox permissions to what they are supposed to be?
Thanks in advance.
Post #: 1
RE: going back to original store permissions - 8.Oct.2007 1:02:52 PM   
a.grogan

 

Posts: 1917
Joined: 12.Apr.2005
From: London
Status: offline
Hiya this should help: http://telnetport25.wordpress.com/2007/07/25/default-security-permissions-on-an-exchange-mailbox-2003/

However, it sounds as if the permissions have been modified higher up the ESM tree - perhaps at organisation level - in the ESM when you right click on <your organisation>(Exchange) and select properties do you get a security tab - if not then you will need to open REGEDIT and navigate to:

HKCU\Software\Microsoft\Exchange\EXAdmin and then add the following value:

ShowSecurityPage REG_DWORD decimal value 1 (0x00000001)

The restart the ESM - right click on the <your organisation>(Exchange) and select properties - you will then see a security tab - you need to let us know the permissions that have been set.

Cheers.

A



_____________________________

Andy Grogan
MSExchange.org Forums Moderator
For my general ramblings about Exchange please visit my website:
W: http://www.telnetport25.com/
B: http://telnetport25.wordpress.com/
M: manifoldmaster@gmail.com

(in reply to whoolly)
Post #: 2
RE: going back to original store permissions - 8.Oct.2007 2:20:24 PM   
whoolly

 

Posts: 8
Joined: 15.Aug.2005
From: pa
Status: offline
Okay,
I did some poking around.
It appears that me and a couple of others are in a group called Exchange Services.
If I put a test account in that group, they get the access. Otherwise it is properly denied.
Any idea what this group is for?
If I don't need it, I will kill it, or at least remove all of the users from it.
thanks.

(in reply to a.grogan)
Post #: 3
RE: going back to original store permissions - 8.Oct.2007 3:14:51 PM   
a.grogan

 

Posts: 1917
Joined: 12.Apr.2005
From: London
Status: offline
Hiya chap, as per my mail -

Hiya, I am not aware of an Exchange Services group being created by default.To be on the safe side, I would remove the accounts that concern you and then set a deny for that group on the "send as, receive as" permissions. Cheers
A


_____________________________

Andy Grogan
MSExchange.org Forums Moderator
For my general ramblings about Exchange please visit my website:
W: http://www.telnetport25.com/
B: http://telnetport25.wordpress.com/
M: manifoldmaster@gmail.com

(in reply to whoolly)
Post #: 4
RE: going back to original store permissions - 10.Oct.2007 1:36:14 PM   
a.grogan

 

Posts: 1917
Joined: 12.Apr.2005
From: London
Status: offline
Ok, so from what I understand from your e-mails - your own personal account is a member of domain admins.
What I would normally recommend is that you have a normal account which does not have domain admin rights, and create a dedicated administrator account per admin - this makes auditing easier.
 
In a default install the domain admins, ent admins and the like have deny set on "Send As and Receive As" - this can be changed and often is for reasons such as EXMERGE, however in that instance I would recommend a dedicated MERGE account.
 
Cheers
A


On 10/10/2007, whoolly from MSExchange.org Forums: Exchange Server Discussions <bowser@> wrote:

I found that if I give a user domain admin rights, they can look at the email.
So I looked at the mailbox rights on my account and domain and enterprise admins have full mailbox access.
However, if I put a deny on that. I can no longer access my email since I am also a domain admin.




_____________________________

Andy Grogan
MSExchange.org Forums Moderator
For my general ramblings about Exchange please visit my website:
W: http://www.telnetport25.com/
B: http://telnetport25.wordpress.com/
M: manifoldmaster@gmail.com

(in reply to whoolly)
Post #: 5
RE: going back to original store permissions - 10.Oct.2007 4:03:27 PM   
whoolly

 

Posts: 8
Joined: 15.Aug.2005
From: pa
Status: offline
We have several domain admins, so unlikely I can do something like that now.

I looked in ESM and if I right click on my server and go to properties, security tab, domain admins and enterprise admins have deny set on receive as and send as. However, if I give a test account domain admin rights, he can still get into email accounts.

Where else can I look to see what is allowing him this access?

(in reply to whoolly)
Post #: 6
RE: going back to original store permissions - 11.Oct.2007 1:34:17 PM   
a.grogan

 

Posts: 1917
Joined: 12.Apr.2005
From: London
Status: offline
Its possible that inheritance is not being observed - on the mailboxes that the test account can access - what are the security permissions for domain admins  (you will need to check this in ADUC with the Advanced Features turned on from the view menu)

Cheers

A

_____________________________

Andy Grogan
MSExchange.org Forums Moderator
For my general ramblings about Exchange please visit my website:
W: http://www.telnetport25.com/
B: http://telnetport25.wordpress.com/
M: manifoldmaster@gmail.com

(in reply to whoolly)
Post #: 7
RE: going back to original store permissions - 11.Oct.2007 1:51:17 PM   
whoolly

 

Posts: 8
Joined: 15.Aug.2005
From: pa
Status: offline
I looked at my account and domain admins has full mailbox access.
However, if I deny that, then I can no longer get into my email.
There is no recieve or deny in the mailbox rights in ADUC so I think the changes have to be made on the mailboxes.
I noticed on the mailbox store, domain admins do NOT have the deny on.
If i put that on, will me and the other domain admins be able to access our email?

(in reply to whoolly)
Post #: 8
RE: going back to original store permissions - 11.Oct.2007 2:22:04 PM   
a.grogan

 

Posts: 1917
Joined: 12.Apr.2005
From: London
Status: offline
Thats correct, a deny will over rule an allow, this is why I suggested the seperate accounts.

Cheers

A

_____________________________

Andy Grogan
MSExchange.org Forums Moderator
For my general ramblings about Exchange please visit my website:
W: http://www.telnetport25.com/
B: http://telnetport25.wordpress.com/
M: manifoldmaster@gmail.com

(in reply to whoolly)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Information Stores >> going back to original store permissions Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter