Establishing Parent in Active Directory

Spider · 30 May 2006 at 12:17

I have a number of users in an exchange server enviroment all of which have permission problems (i.e. 'everyone' has full control). The problem is, the check boxes for the permissions are greyed out and are inaccessible because they are being inheirted from their parent.
My problem is (dull as this may sound), I do not know who the parent is why the permissions are propigating.

Is there any easy way in Active Directory or Exchange itself to trace where these properties are being set and correct these issues?

Tar!

^^Gord^^ · 30 May 2006 at 13:03

Are these the security permissions on the AD users or the mailbox rights?

Spider · 30 May 2006 at 13:23

^^Gord^^ said:
Are these the security permissions on the AD users or the mailbox rights?

Sorry, should have clarified They are the permissions for the mailbox rights

bigdunc · 30 May 2006 at 16:00

If I remember rightly, in the advanced section > permissions, their is an option to change the propogated rights.

Spider · 30 May 2006 at 16:13

bigdunc said:
If I remember rightly, in the advanced section > permissions, their is an option to change the propogated rights.

For the active directory permissions, but there isn't one for the exchange mailbox rights.

mr.bond · 30 May 2006 at 20:03

You need to check the parent OU's. (The ones above the user accounts in the directory tree) You'll be able to find out where the permission is set, it's maybe at even the domain level.

Be careful though before modifying anything, you could end up having a real bad day.

Spider · 31 May 2006 at 10:16

mr.bond said:
Be careful though before modifying anything, you could end up having a real bad day.

Thats my fear!
At the moment though *every* user has full access and control over everyone elses mailboxes and it obviously needs to be tightened up. Thing is I have no training in exchange (typical for my place of work) so dont really appreciate the chaos i can cause with a single checkbox!

Is there a paper/guide/tutorial on permissions for exchange mailboxes, what they will effect and the best practices?

mr.bond · 31 May 2006 at 14:05

Check this out

http://www.microsoft.com/downloads/...1f-4bee-4943-ac22-e2ddbd258df3&DisplayLang=en

IIRC it will recommend changes (including security), again, change NOTHING until your sure. I.E. take screen shots of the permnissions at the parent level and each child object below. Here's a site with what looks to be default permissions http://www.windowsitpro.com/MicrosoftExchangeOutlook/Article/ArticleID/5422/5422.html

Have you considered logging a call with MS PSS?

mr.bond · 31 May 2006 at 18:39

Spider said:
For the active directory permissions, but there isn't one for the exchange mailbox rights.

That ones just sunk in, you are on a server/workstation with the exchange client tools/snap-ins installed, aren't you?

^^Gord^^ · 1 Jun 2006 at 11:39

Sorry for the late reply, been very busy with work.

If the permissions are greyed out in Mailbox rights then they have indeed been inherrited from a parent.

This could be one of a number of places....

1) The Mailbox Store the user is in
2) The Storage Group the user is in
3) The Exchange server the user is on
4) The Exchange Organisation
5) Above the Exchange Organisation

Numbers 1,2 and 3 can be checked via properties using Exchange System Manager (ESM).

Number 4 can be checked via properties using Exchange System Manager (ESM) only after you have made a reg key changed.

This can be done on the PC / Server you are running ESM on by following this....

1. Start the registry editor (regedit.exe).
2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin subkey.
3. From the Edit menu, select New and click DWORD Value.
4. Enter a name of ShowSecurityPage and press Enter.
5. Double-click the new value and set it to 1. Click OK.
6. Close the registry editor.

Number 5 can only be accessed via ADSIEdit and I'm not going to tell you anything on that as I very much doubt it will have been set here and the damage you could cause here is massive.

On a standard Exchange install you would have certain permissions assigned to the Everyone group at the Exchange Organisation level although this won't include rights such as Full Mailbox access. Any permissions below that level i.e. numbers 1,2 and 3 you could fairly safely remove them.

At the Exchange Organisation level you need to be more careful and make sure you know what the defaults are.

Hope that helps.