locked
What permission gives ability to grant full mailbox access RRS feed

  • Question

  • Hi, Our Help desk group in AD has rights to grant a customer access to another persons mailbox however after checking all groups they are a member of with a test account, I cannot locate where this permission is coming from.

    Could you please advise where I should be looking to prevent this as we do not want them to have this high level of access.

    What would be the cmdlet on the management shell to remove this? And what is the cmdlet for me to verify a users effective permissions.

    We are using Exchange 2007.

    Thankyou

    Wednesday, March 30, 2011 10:51 PM

Answers

  • Thanks for responding Jerome.

    What I am actually after though is NOT how to view, grant or remove this access but more to stop someone from being able to grant this permission in the first place.

    For example, our Help Desk all have the ability to give themselves or another person full access to someone elses mailbox, along with changing the Send As permissions. Obviously in a large organisation where there are 45 Help Desk staff this is a possible security risk.

    So when I go to the Security Tab & go to the Effective Permissions a whole big list of objects comes up but we do not know which one controls the Mailbox Rights object under the Exchange Advanced tab of a users Property window.

    Perhaps it is not even here that I should be looking, that is the problem, I cannot tell where they are getting this access from.

    Anyway, if you can assist here, that would be greatly appreciated.

    Thanks

    Donna

     

    • Marked as answer by DLIAG Monday, August 29, 2011 3:41 AM
    Monday, April 4, 2011 3:58 AM

All replies

  • Hi,

     

    “What would be the cmdlet on the management shell to remove this?”

    This example will remove user Test2's full access rights to user Test1's mailbox.

    Remove-MailboxPermission -Identity Test1 -User Test2 -AccessRight FullAccess -InheritanceType All

     

    “And what is the cmdlet for me to verify a user’s effective permissions.”

    You could run this command  to view the permission.

    Get-mailboxpermission “test1”

    Or Get-mailboxpermission “test1”  |fl

     

    More information about how to allow mailbox access

    http://technet.microsoft.com/en-us/library/aa996343(EXCHG.80).aspx

     

    Remove-MailboxPermission

    http://technet.microsoft.com/en-us/library/bb125153(EXCHG.80).aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by Jerome Xiong Monday, April 4, 2011 3:15 AM
    Monday, April 4, 2011 3:15 AM
  • Thanks for responding Jerome.

    What I am actually after though is NOT how to view, grant or remove this access but more to stop someone from being able to grant this permission in the first place.

    For example, our Help Desk all have the ability to give themselves or another person full access to someone elses mailbox, along with changing the Send As permissions. Obviously in a large organisation where there are 45 Help Desk staff this is a possible security risk.

    So when I go to the Security Tab & go to the Effective Permissions a whole big list of objects comes up but we do not know which one controls the Mailbox Rights object under the Exchange Advanced tab of a users Property window.

    Perhaps it is not even here that I should be looking, that is the problem, I cannot tell where they are getting this access from.

    Anyway, if you can assist here, that would be greatly appreciated.

    Thanks

    Donna

     

    • Marked as answer by DLIAG Monday, August 29, 2011 3:41 AM
    Monday, April 4, 2011 3:58 AM