Exchange Server 2003 - Mailbox Rights

[ArchAngel777]

I have a problem with the mailbox rights for Echange Server 2003. I go to the properties of the user in "Active Directory - users and computers" and then select "Exchange Advanced" and then click on "Mailbox Rights". Here is where I am suppose to be able to set the rights for a specific mailbox. However, out of all the groups I have selected I cannot modify the rights of any of them, save for "self" rights. The rest are greyed out. I get a message stating the following when I try and remove certain people from the security list. The message is:

You cannot remove "ANONYMOUS LOGON" because this object is inheriting permissions from its parent. To remove "ANONYMOUS LOGON," you must prevent this object from inheriting permissions. Turn off the option for inherity permissions, and then try removing "ANONYMOUS LOGON" again.

However, I am not sure what the parent of the mailbox is... Perhaps someone more knowledgable than myself can explain to me the reason and what I can do to remedy this process.

Thanks for any information that you may have on the issue.

Gabriel

 

[Rapidskies]

There are a minimum set of permissions needed on a mailbox for Exchange to work properly. I would leave these permissions alone as they apply to the "Mailbox Rights" not that other users can read that users email. More info here http://support.microsoft.com/default.aspx?scid=kb;en-us;328229

 

[ArchAngel777]

Thanks for the link and information. But, if that does not affect the ability to open another users mailbox, then what does? From what I can tell, it does affect that ability.

To give you an example, a non adminstration of the domain has permission to open up another users mailbox as if it was their own. They simply right click on their Exchange Mailbox within outlook and go to properties, then advanced, and then advanced again and "add mailbox". This then allows them to view the mailbox of that specific person and grants them full access to it. And just to be sure, I made sure that those users were not sharing out their mailbox. They were not.

Any ideas on how to tight security on that?

Thanks.

 

[Variable D]

By default you cannot do what your talking about it seems. Even domain admins cannot.
I was curious and tried it myself, as I am a domain admin on a default installation of Exchange 2003. I can add the mailboxes but cannot view contents. I get a permissions denial error message.
I found this Link which makes sense. I wonder if you have the registry edit it talks about? I will keep digging when i get a chance. It is useful knowledge.

V

 

[ArchAngel777]

Thanks for the responce. Yes, I was aware that this should not be accessable. I ran ExMerge Util though a while back, which I believe lost permissions with Active Directory.

Let me see if I can explain better this better. I know where to go to fix the rights, but I am unable to do so. Because it will not let me change the rights because some parent object is passing them down. The only problem... Where in the world is the parent object? No one seems to be able to answer that question. Unless, the parent container does not exist and is the result of the ExMerge util dropping the rights on the mailbox storage.

Nothing pisses me off more than not knowing why I cannot remove the "everyone" and "anonymous" group from them mailbox rights or mailbox storage because Active Directory tells me that I canont do it because it is shared on a higher level. But no one knows the higher level!!!

Exchange 2003 is a product that I believe works well, but still has a ways to go. Encountered several bugs with the system and having it not do things that it should be doing.

Thanks for the information... I am still searching the web for these answers myself.

Edit---

I found the information from the link you provided as to grant access to the hiddent security tab (which is the parent I was looking for!) So one problem fixed... However, my admin rights are set to deny on "send as" and "recieve as" which makes me wonder... Why can I open a users mailbox and read their mail? This should not be an option based on my security settings.

 

[nweaver]

check adsiedit (think that's the right one, been a while) to check for the tree and find the paren objects. Use the Exchange System Manager, and check the mail store rights (that might be the parent holding the permissions).

If all else fails, restore back to before the exmerge utility, and before you run things like that TEST TEST TEST TEST. An admin's time is well worth the MSDN license and a few servers so they don't have to crash/destroy/"oops" the production machines.

 

[ArchAngel777]

I would agree with you completely. I wish I had the resouces for that, but they are not at my disposal. I have to work on a live server, so my changes have to well thought out before I do anything serious to them. It makes it difficult to manage, but being under the gun is a good experience. Never hurts to have to much experience.

Anyway, the parent object I have found and the security rights are set properly, yet these users have full access to another users mailbox.

 

[ArchAngel777]

Figured out the problem. Somehow the "everyone" group was given "send as" & "receive as" rights to the private mailbox storage. This would then allow them to freely open up anyone's mailbox and use it as if it were their own.

Not entirely sure how the everyone group was granted access for that. but I suspect it had to do with the storage recovery group I ran exmerge back into their mailbox when we upgraded their server hard drives.

Thanks for the input on these forums, it was much appreciated.