Over on Reddit there’s a question about unexpected permissions appearing on mailboxes.
Exchange mailbox user objects inherit a number of permissions that are necessary for the day to day running of the Exchange Server environment. These are a mixture of permissions that Exchange Server computer accounts need, as well as the permissions for the various administrative roles.
Non-inherited permissions include those such as granting a user full access to another user’s mailbox.
However, sometimes when looking at the permissions on a mailbox an admin will notice users or groups that have permissions to the mailbox via inheritance.
Usually I find this is due to the lazy administrative approach of granting the permissions at the mailbox database level. For example, this command will grant Alan Reid full access to all mailboxes in the database DB01.
[PS] C:\>Get-MailboxDatabase DB01 | Add-ADPermission -User alan.reid -AccessRights GenericAll Identity User Deny Inherited -------- ---- ---- --------- DB01 ESPNETAlan.Reid False False
Alan can now open any of those mailboxes in DB01, any time he wants to. This might seem convenient, but it is not a very good approach from an auditing perspective. I much prefer that admins grant themselves access to mailboxes on a case by case basis, then remove them afterwards. These actions are then logged in the admin audit log and can be correlated against things like support tickets raised by the end user, or approval emails from a manager.
If you suspect this has happened in your environment you can look for non-inherited permissions at the mailbox database level, for example:
[PS] C:\>Get-MailboxDatabase DB01 | Get-ADPermission | Where {$_.IsInherited -eq $false} Identity User Deny Inherited -------- ---- ---- --------- DB01 ESPNETAlan.Reid False False
Removing the permissions is easy as well.
[PS] C:\>Get-MailboxDatabase DB01 | Remove-ADPermission -User alan.reid -AccessRights GenericAll
An account in our environment has full access rights to all the mailboxes in every database on our servers. It appears they are being inherited from the Enterprise Admins group which of course has full access rights at the root level. Is there a way to remove the full access rights in exchange AND prevent these rights from being applied to this user for all future mailboxes?
How can i view specific Mailbox Database Full access and SendAs permissions in PS exchange 2010.
Hello Paul,
Does the command on giving full access to all mailboxes will also automap all the mailboxes into this user’s Outlook?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
No.
Thanks heaps!
Paul,
Is there a way this can be completed for all mailboxes in the org, and for multiple abandoned SIDs per mailbox? We have fixed the issue when new mailboxes are created, but wanting a way to cleanup all the 2800+ mailboxes without having to touch each one twice.
-Jeff
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
The examples above are for permissions on a mailbox database. Once the permissions are removed from the database as shown, they no longer inherit to all the mailboxes in that database.
So you don’t need to “touch” every mailbox, just the databases.
Hi Paul,
I realise this is a somewhat older post at this point but I did have a question related to the inheritance at the database level, I see that some of the permissions in that database have also been inherited from some higher level container. What container exists above the database that these permissions are being applied from?
Is there a good resource for the Exchange 2010 inheritance hierarchy?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You can see it in ADSIEdit by opening the Configuration partition.
Ah, of course. Thanks for pointing out the obvious. Cheers!