locked
Full mailbox access removed, however user is still able to access mailbox! RRS feed

  • Question

  • Hi

    Using exchange 2007 and previously user A was given full mailbox access to user B's mailbox.

    I have removed user A's full mailboxes access from user B mailbox. However when I check user A's Outlook 2003 client , I can still access / expand user B's mailbox. Restarted the outlook client several times.

    When i run the command Get-MailboxPermission -identity "User B"  , it shows the following reference to User A

    hostname.com/Ac... domain\User   A     {DeleteItem}

    I have tried this command and didn't work/

    Restarted the information store. this didn't work

    Remove-MailboxPermission "User B" -AccessRights FullAccess -user "User A"

    Why is User A able to access User B's mailbox when I removed them from the console and command line!!

    Thursday, November 15, 2012 5:18 PM

Answers

  • Hi

    I have identified what has happened.

    User A was added as Editor to User B mailbox on Outlook.

    By Right click on User B mailbox in the folder list in Outlook 2003, click properties, Permissions, I identified User A was sitting as an editor. Remove this permission and it worked! User A was no longer can access User B's mailbox.

    This can explain why the user wasn't able to do this in OWA, the permissions were not on the server side but client side.

    Surely this is a security loophole, and why cannot this type of issue be traced via the Get-loginstats or appear in any logs. Surely as an administrator you should be able to see who is accessing what?

    • Proposed as answer by cara chen Tuesday, November 27, 2012 8:55 AM
    • Marked as answer by cara chen Wednesday, November 28, 2012 8:38 AM
    Friday, November 16, 2012 2:30 PM

All replies

  • other than full mailbox access permissions propagated for UserA on UserB's Mailbox, did you add the UserA to security tab with full access permissions propagated? What other permissions does the UserA have against the UserB's Mailbox? Have your Checked "Receive As"?

    Also check the security tab on UserB and see if you have USerA with Full Control.

    Are you able to reproduce the issue on OWA?


    M.P.K ~ ( Exchange | 2003/2007/2010/E15(2013)) ~~ Please remember to click “Vote As Helpful" if it really helps and "Mark as Answer” if it answers your question, “Unmark as Answer” if a marked post does not actually answer your question. ~~ This Information is provided is "AS IS" and confers NO Rights!!

    Thursday, November 15, 2012 7:10 PM
  • Thanks for your reply

    "security tab with full access permissions propagated"

     

    We are using Exchange 2007 management console, and not aware of the security tab . Please advise

    I have checked Active Directory users and computers against User B object, and under the security tab there is no reference to User A what so ever.

    I have also logged into another PC with user A windows login details, and was also able to open User B's mailbox...so not PC specific.

    However in OWA, when i login with User A's details , and try and open User B's mailbox , it states

    "You do not have permission to open this mailbox. For access or for more information, contact technical support for your organization. "

    So I do not know what the hell is going on! I'm concerned this is some kind of security loophole!

    Friday, November 16, 2012 9:41 AM
  • In addition to this, when I run the command below, it doesn't even show that User A is connected to User B's mailbox.

    However on User A Outlook 2003 client , the Mailbox to User B is open !!!

    get-logonstatistics -id "User A" | fl

    Something weird is going on, and it is driving my insane!

    Friday, November 16, 2012 9:52 AM
  • I have few questions:

    1. Is UserA only able to access UserB's Mailbox or can also all other users mailboxes?

    2. Who is this UserA? is this user kind of a high priority user?

    3. Get-MailboxPermissions -User UserA -Identity UserB | Ft -Autosize -wrap

    4. Get-AdPermissions -User UserA | Ft -Autosize -wrap

    5. can you check on the adsiedit if the permissions for the UserA is hardcoded on the Database/Server/Exchange Organization Object something like that?

    6. Also What groups is this userA member of? Check the group membership and make sure to compare the group membership with this user (USERA with which we are able to reproduce the issue) & another User (Who can't Open UserB's Mailbox) and check if there is any group which has permissions added and which is having UserA added as a member to it!


    M.P.K ~ ( Exchange | 2003/2007/2010/E15(2013)) ~~ Please remember to click “Vote As Helpful" if it really helps and "Mark as Answer” if it answers your question, “Unmark as Answer” if a marked post does not actually answer your question. ~~ This Information is provided is "AS IS" and confers NO Rights!!

    Friday, November 16, 2012 10:55 AM
  • Hi

    I have identified what has happened.

    User A was added as Editor to User B mailbox on Outlook.

    By Right click on User B mailbox in the folder list in Outlook 2003, click properties, Permissions, I identified User A was sitting as an editor. Remove this permission and it worked! User A was no longer can access User B's mailbox.

    This can explain why the user wasn't able to do this in OWA, the permissions were not on the server side but client side.

    Surely this is a security loophole, and why cannot this type of issue be traced via the Get-loginstats or appear in any logs. Surely as an administrator you should be able to see who is accessing what?

    • Proposed as answer by cara chen Tuesday, November 27, 2012 8:55 AM
    • Marked as answer by cara chen Wednesday, November 28, 2012 8:38 AM
    Friday, November 16, 2012 2:30 PM
  • Hello,

    I consider an administrator can limit user to do some operations, but it is hardly that an administrator may monitor user's action.


    Cara Chen

    TechNet Community Support

    Tuesday, November 27, 2012 8:54 AM