none
Exchange 2007 - My AD account has Full Access Permissions for all Mailboxes, Why?

    Question

  • Hi

    I have a problem at the moment whereby my Windows AD account has full access permissions across all mailboxes on our Exchange 2007 mailbox servers. I used this account to build the servers, but I don't understand why my account would have full access permissions. I have been asked to remove these permissions by my Manager, but I can not see where these permissions are being inherited from.

    I have checked in the Exchange Management console, the legacy Exchange System Manager tool, ADUC and ADSI Edit, yet I can not see where these permissions are coming from.

    Has anyone got any ideas where else I can look, to remove these permissions?

    Regards

    Richard

    Wednesday, March 16, 2011 9:24 AM

Answers

All replies

  • Check the groups your account is a member of. I think Exchange Domain Servers gives the same access. I have a note here that says to check that, but I haven't tested it myself.

    How are you testing whether the permissions have gone? Are you actually seeing the "Full Mailbox" permission, or just seeing if you can access any mailbox?
    If the latter, remember that Exchange caches permissions, so any change can take two hours to be fully effective.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Thursday, March 17, 2011 12:13 AM
  • thanks for the reply.

    I have checked to see the groups my account is a member of and it is not a member of the Exchange Domain Servers group.

    The permissions themselves do not grant me access to the mailboxes because I must have a deny permission somewhere.

    I can remove the full access permissions on a per mailbox basis, but when new mailboxes are created the permission is set again so it must be inheriting from somewhere. The Full Access permissions are set regardless of mailbox store, Storage group or mailbox server, so it is being inherited from quite high up the Organisation tree.

    Any other thoughts?

    Thursday, March 17, 2011 11:14 AM
  • Hi,

     

    Could you please try this command?

    Get-mailboxpermission –identify “your account” |fl

    Found out those permission which attribute of “isinherited” is true.

     

    Then run this command to remove the permission

    Remove-mailboxpermission –Identify “youraccount”  -accessrights fullaccess –inheritancetype all.

     

    More information about

    Add-MailboxPermission

    http://technet.microsoft.com/en-au/library/bb124097(EXCHG.80).aspx

     

    Get-MailboxPermission

    http://technet.microsoft.com/en-au/library/aa998218(EXCHG.80).aspx

     

    Remove-MailboxPermission

    http://technet.microsoft.com/en-au/library/bb125153(EXCHG.80).aspx

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Frank.Wang Monday, April 11, 2011 3:30 AM
    Friday, March 18, 2011 3:03 AM
  • sorry, but I'm not sure I understand what positive effect there is by running these cmdlets.

    I know how to look at the permissions on my account and I  know how to remove all inheritied permssions, but how is then going to ensure my Full Access permissions across all Mailboxes are then removed?

    Monday, March 21, 2011 11:21 AM
  • A simply method is test if you can send email on behalf  the user .

    Or you could try to modify his shared calendar permission.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, March 24, 2011 4:36 AM