1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Establishing Parent in Active Directory

Discussion in 'Windows & Other Software' started by Spider, 30 May 2006.

  1. Spider

    Hitman

    Joined: 28 Nov 2002

    Posts: 766

    Location: Down the road

    I have a number of users in an exchange server enviroment all of which have permission problems (i.e. 'everyone' has full control). The problem is, the check boxes for the permissions are greyed out and are inaccessible because they are being inheirted from their parent.
    My problem is (dull as this may sound), I do not know who the parent is why the permissions are propigating.

    Is there any easy way in Active Directory or Exchange itself to trace where these properties are being set and correct these issues?

    Tar!
     
  2. ^^Gord^^

    Wise Guy

    Joined: 20 Oct 2002

    Posts: 1,966

    Location: Nottingham

    Are these the security permissions on the AD users or the mailbox rights?
     
  3. Spider

    Hitman

    Joined: 28 Nov 2002

    Posts: 766

    Location: Down the road

    Sorry, should have clarified They are the permissions for the mailbox rights
     
  4. bigdunc

    Hitman

    Joined: 30 May 2004

    Posts: 608

    Location: Uk

    If I remember rightly, in the advanced section > permissions, their is an option to change the propogated rights.
     
  5. Spider

    Hitman

    Joined: 28 Nov 2002

    Posts: 766

    Location: Down the road

    For the active directory permissions, but there isn't one for the exchange mailbox rights.
     
  6. mr.bond

    Hitman

    Joined: 16 Jan 2006

    Posts: 637

    Location: Surrey

    You need to check the parent OU's. (The ones above the user accounts in the directory tree) You'll be able to find out where the permission is set, it's maybe at even the domain level.

    Be careful though before modifying anything, you could end up having a real bad day.
     
  7. Spider

    Hitman

    Joined: 28 Nov 2002

    Posts: 766

    Location: Down the road

    Thats my fear!
    At the moment though *every* user has full access and control over everyone elses mailboxes and it obviously needs to be tightened up. Thing is I have no training in exchange (typical for my place of work) so dont really appreciate the chaos i can cause with a single checkbox! :D

    Is there a paper/guide/tutorial on permissions for exchange mailboxes, what they will effect and the best practices?
     
  8. mr.bond

    Hitman

    Joined: 16 Jan 2006

    Posts: 637

    Location: Surrey

  9. mr.bond

    Hitman

    Joined: 16 Jan 2006

    Posts: 637

    Location: Surrey

    That ones just sunk in, you are on a server/workstation with the exchange client tools/snap-ins installed, aren't you?
     
  10. ^^Gord^^

    Wise Guy

    Joined: 20 Oct 2002

    Posts: 1,966

    Location: Nottingham

    Sorry for the late reply, been very busy with work.

    If the permissions are greyed out in Mailbox rights then they have indeed been inherrited from a parent.

    This could be one of a number of places....

    1) The Mailbox Store the user is in
    2) The Storage Group the user is in
    3) The Exchange server the user is on
    4) The Exchange Organisation
    5) Above the Exchange Organisation

    Numbers 1,2 and 3 can be checked via properties using Exchange System Manager (ESM).

    Number 4 can be checked via properties using Exchange System Manager (ESM) only after you have made a reg key changed.

    This can be done on the PC / Server you are running ESM on by following this....

    1. Start the registry editor (regedit.exe).
    2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin subkey.
    3. From the Edit menu, select New and click DWORD Value.
    4. Enter a name of ShowSecurityPage and press Enter.
    5. Double-click the new value and set it to 1. Click OK.
    6. Close the registry editor.

    Number 5 can only be accessed via ADSIEdit and I'm not going to tell you anything on that as I very much doubt it will have been set here and the damage you could cause here is massive.

    On a standard Exchange install you would have certain permissions assigned to the Everyone group at the Exchange Organisation level although this won't include rights such as Full Mailbox access. Any permissions below that level i.e. numbers 1,2 and 3 you could fairly safely remove them.

    At the Exchange Organisation level you need to be more careful and make sure you know what the defaults are.

    Hope that helps.