2

I'm having a difficult/impossible time tracing down a permissions issue on an Exchange 2003 mailbox, and I was wondering if I'm missing any technical possibilities here.

The basic question is what ways are there to set a user's permissions to access a mailbox in Exchange 2003? I know of two. Permissions on the mailbox itself (Mailbox Rights) and having delegated rights. And then, if it's possible, how would one view all the permissions (including delegated permissions) on the mailbox?

The situation is that a new user who's been set up "exactly like all the others" in his department (pretty sure he was copied via the right click option in ADUC, in fact) can't access a specific shared mailbox, which I've been assured about a dozen other people do have access to and access on a regular basis. As to how they got permissions to the mailbox, no one knows, so it must have been granted by a white wizard whose spell has since worn off, so now IT has to handle it instead.

Anyway...

This mailbox is a normal AD user, created as a service account, for which no one knows the password (of course), so it's probably not the case that this service account was being used to delegate permissions.

Upon taking examining the Mailbox Rights directly...

Mailbox Rights

Here are the permissions I see:

Permissions Table

This leads me to believe that one of two things are happening - the managers have been delegating full mailbox permissions to the rest of the department, or everyone's logging in using... not their own account. But, before I get too excited about the prospect of busting out the LART and strolling over to that department, I want to make sure I'm not missing another possible explanation. Like most of the rest of the world, I ditched Exchange 2003 at the earliest possible opportunity, and had been looking forward to never seeing it again, so I'm a bit rusty on the intricacies of how it [mostly, sort of] works.

Anyone see any or possibilities, or things I may have missed, or does the LART get to come out and play?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • Looks to me like the managers have probably forgotten they've been granting access to other users. I suggest liberal application of LART as needed until the problem resolves itself. One workaround, would be to grant yourself access to this box and hand out rights yourself. – MikeAWood Aug 30 '12 at 20:33
  • `One workaround, would be to grant yourself access to this box and hand out rights yourself.` You'd think, wouldn't you? But the problem with that is that it makes too much sense, and therefore, violates corporate security policy. *sigh* It's similar to security through obscurity. Security through confusion. I don't know if it's effective against external attackers or not, but it's very effective against the IT staff. – HopelessN00b Aug 30 '12 at 20:38
  • I feel your pain brother! The other way to do it is add that OU to the allow list for that dept. At least then they'd all have privs automagically. though, from the looks of it, the admin already has permissions. So you might be breaking your security policy already. – MikeAWood Aug 30 '12 at 21:04

1 Answers1

2

I'd be checking the actual mailbox permissions from Outlook. I suspect someone has been granted Owner privileges, which lets them assign further permissions to their staff / colleagues. Rather annoyingly, I haven't yet found a way to get Outlook privs to propogate down through a mailbox (if anyone knows of a way, please tell). Therefore, our IT Security clerical-types would normally assign the privs on the root of the mailbox and then on any (required) subsequent folders.

Simon Catlin
  • 5,232
  • 3
  • 17
  • 20
  • 1
    Right, Outlook... third way. *grumble* I'll go check that now. – HopelessN00b Aug 30 '12 at 20:35
  • Well, no evidence of that so far. Will check more tomorrow, but not looking good for this being the cause. – HopelessN00b Aug 30 '12 at 20:53
  • Turns out it was the previous admin who'd set these privileges from *his* Outlook client. So much for breaking out the `LART`, I need to make me a `FAART`. (Former Admin Attitude Readjustment Tool.) Thanks for getting me to the source of this headache! – HopelessN00b Sep 12 '12 at 14:06