locked
Enable-Mailbox and Mailbox Permissions RRS feed

  • Question

  • When I do enable-mailbox, I notice that only NT Authority\Self is granted full access to the mailbox.  However, when I enable a mailbox through the EMC, I see

    • NT Authority\SELF
    • NT Authority\SYSTEM
    • DOMAIN\Exchange Domain Servers
    • DOMAIN\Exchange Servers
    • DOMAIN\Exchange Trusted Subsystem

    In additions, if I do get-mailboxpermission on a mailbox created by the EMC, I see tons of permission entries, whereas I only see one, which is the full access entry for NT Authority\SELF when the mailbox is enabled via enable-mailbox.

    Is this normal?  What's the default permission a mailbox should have when it's first created?

    Friday, September 16, 2011 4:07 PM

Answers

  • On Fri, 16 Sep 2011 16:07:10 +0000, techie0329 wrote:
     
    >
    >
    >When I do enable-mailbox, I notice that only NT Authority\Self is granted full access to the mailbox. However, when I enable a mailbox through the EMC, I see NT Authority\SELF NT Authority\SYSTEM DOMAIN\Exchange Domain Servers DOMAIN\Exchange Servers DOMAIN\Exchange Trusted Subsystem
    >
    >In additions, if I do get-mailboxpermission on a mailbox created by the EMC, I see tons of permission entries, whereas I only see one, which is the full access entry for NT Authority\SELF when the mailbox is enabled via enable-mailbox.
    >
    >Is this normal? What's the default permission a mailbox should have when it's first created?
     
    On a newly created mailbox the only permission is "SELF" (or, at least
    that the only required permission). That's because the mailbox doesn't
    yet exist so the information store hasn't added any permissions to the
    AD object. When the mailbox is vivified by the information store upon
    its first use, the IS adds its permission set to the mailbox and to
    the AD object resulting in all those other permissions you see.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, September 16, 2011 7:35 PM

All replies

  • Both are consistent for me using emc or shell. Did you make sure you logged into the account first then check the permissions?

    I get the following defaults for mailbox permissions when using emc or shell.

    exchange services

    self

    Exchange server1

    Exchange server2


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Friday, September 16, 2011 6:29 PM
  • hmm, no, I did not log into the account first.  I didn't think that would make a difference but I will give it a shot. 
    Friday, September 16, 2011 6:35 PM
  • On Fri, 16 Sep 2011 16:07:10 +0000, techie0329 wrote:
     
    >
    >
    >When I do enable-mailbox, I notice that only NT Authority\Self is granted full access to the mailbox. However, when I enable a mailbox through the EMC, I see NT Authority\SELF NT Authority\SYSTEM DOMAIN\Exchange Domain Servers DOMAIN\Exchange Servers DOMAIN\Exchange Trusted Subsystem
    >
    >In additions, if I do get-mailboxpermission on a mailbox created by the EMC, I see tons of permission entries, whereas I only see one, which is the full access entry for NT Authority\SELF when the mailbox is enabled via enable-mailbox.
    >
    >Is this normal? What's the default permission a mailbox should have when it's first created?
     
    On a newly created mailbox the only permission is "SELF" (or, at least
    that the only required permission). That's because the mailbox doesn't
    yet exist so the information store hasn't added any permissions to the
    AD object. When the mailbox is vivified by the information store upon
    its first use, the IS adds its permission set to the mailbox and to
    the AD object resulting in all those other permissions you see.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, September 16, 2011 7:35 PM