Exchange 2000 Mailbox Store Minimum Permission Settings

Hi Everyone,

I have just discovered that any user in my domain can simply add
another user's account to the "Additional Mailboxes" section of Outlook
and gain full access to the inbox.  In AD, all the permission settings
look ok.  I believe the problem lies in the permission settings of the
Mailbox Store.  I see that the "Everyone" group has Full access.  Since
I did not set this machine up, I'm guessing that this was done during
the install and never set back correctly.

My question is, which user/group needs to be set in the Mailbox Store
properties for Exchange to run?  I downloaded the Microsoft whitepaper
and saw this:

########### Start Excerpt ########
If you modify the default permissions on Microsoft=AE Exchange Server
2003 mailbox stores and public folder stores, make sure you maintain
the following minimum permissions:
=B7	Administrators group   Full Control
=B7	Authenticated Users group   Read and Execute, List Folder Contents,
and Read
=B7	Creator Owner   None
=B7	Server Operators group   Modify, Read and Execute, List Folder
Contents, Read, and Write
=B7	System account   Full Control
########### End Excerpt ########

However, I can't find the Server Operators group on my machine.  Also,
it seems that's for Exchange 2003.  Is there a difference?  Can anyone
help?

0
10/12/2005 7:06:37 PM
exchange.admin 57650 articles. 2 followers. Follow

2 Replies
348 Views

Similar Articles

[PageSpeed] 3

In article <1129143997.235045.50050@z14g2000cwz.googlegroups.com>,
 "squarekid888" <squarekid888@gmail.com> wrote:

> Hi Everyone,
> 
> I have just discovered that any user in my domain can simply add
> another user's account to the "Additional Mailboxes" section of Outlook
> and gain full access to the inbox.  In AD, all the permission settings
> look ok.  I believe the problem lies in the permission settings of the
> Mailbox Store.  I see that the "Everyone" group has Full access.  Since
> I did not set this machine up, I'm guessing that this was done during
> the install and never set back correctly.

Everyone shouldn't have Full Control on the mailbox databases.

> My question is, which user/group needs to be set in the Mailbox Store
> properties for Exchange to run?  I downloaded the Microsoft whitepaper
> and saw this:
> 
> ########### Start Excerpt ########
> If you modify the default permissions on Microsoft� Exchange Server
> 2003 mailbox stores and public folder stores, make sure you maintain
> the following minimum permissions:
> �	Administrators group   Full Control
> �	Authenticated Users group   Read and Execute, List Folder Contents,
> and Read
> �	Creator Owner   None
> �	Server Operators group   Modify, Read and Execute, List Folder
> Contents, Read, and Write
> �	System account   Full Control
> ########### End Excerpt ########
> 
> However, I can't find the Server Operators group on my machine.  

See 
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erverHelp/1631acad-ef34-4f77-9c2e-94a62f8846cf.mspx>. Server Operators 
is in the "Builtin" container, and it doesn't have any members by 
default.

> Also, it seems that's for Exchange 2003.  Is there a difference?  Can
> anyone help?

These permissions are the same for Exchange 2000 and Exchange Server 
2003.

Cheers,
-Paul

-- 
Paul Robichaux <paulr@mvps.org>
MVP - Exchange
Exchange security book: http://www.e2ksecurity.com
FAQs: http://www.swinc.com/resource/exchange.htm &
http://www.swinc.com/resource/e2kfaq.htm
0
paulr1 (34)
10/12/2005 7:17:06 PM
Thanks Paul.  Made the permission changes, rebooted the server.  Works
like charm.

0
10/13/2005 12:22:18 AM
Reply:

Similar Artilces:

Mailbox on Exchange Front-End Server
Can you create a mailbox on an Exchange 2003 Front-End Server? When you make Exchange a FE server, it then assumes all internet protocols are to be proxied to the BE servers. It can't proxy to itself. If you put mailboxes on it, only MAPI connections could reach them. Depending on your deployment, there may be security implications of allowing that. Can you? I think so. Should you? Probably not. William "John Blake" <anonymous@discussions.microsoft.com> wrote in message news:19f8501c44d87$e00c6950$a001280a@phx.gbl... > Can you create a mailbox on an Exchange 20...

Configuring Exchange to Use Multiple RCPT TOs for Smart Relay
How do you configure exchange such that a message with multiple recipients is sent to the smart relay as a message with multiple recipients instead of duplicate copies of the message with one recipient each? Thanks, Alan You're talking per-domain, correct? Because Exchange already does this for recipients in the same domain. Baris. -- This posting is provided "AS IS" with no warranties, and confers no rights. "Alan" <msn-exchange@web.morphdog.com> wrote in message news:035d01c3c78f$104e6610$a401280a@phx.gbl... > How do you configure exchange such that a m...

Outlook 2000 under Win98
Hi, Have a machine with Win98 and Outlook 2000. I am giving this machine to another user. The problem that I have is that when I start Outlook 2000, it has the previous user name in the splash screen. here are the things that I have tried. 1. Uninstall Outlook 2000 (twice) 2. Delete all occurances of Outlook in Registry 3. Reinstall Outlook 2000 (twice) 4. Delete .pwl files And still when I reinstall again, I entered a new user name in the installation process. After that, I start Outlook and still have the previous user name. Note: Don't really want to reinstall Win98. Any s...

Exchange Extension Error
I'm trying update an email address and an error pops up. Microsoft Active Directory - Exchange Extension A Local Error has occured. Facility: Win32 ID no:8007203b Microsoft Active Directory - Exchange Extension Everything else seems to be working ok. Any ideas? Thanks, Q does this apply? http://support.microsoft.com/default.aspx?scid=kb;en-us;329642 "Quan" <anonymous@discussions.microsoft.com> wrote in message news:1a2001c4abc4$e8f2ea30$7d02280a@phx.gbl... > I'm trying update an email address and an error pops up. > > Microsoft Active Directory - Exchange...

Set field focus in a subroutine
In Access 2003 (Windows XP) I am passing the value of a field in a textbox on a form to a subroutine to validate that the date value is within a range. If the date is out of range I would like to set the focus of the field on the form and display an error message. When I pass in the field to the subroutine, I get a compile error "Invalid qualifier" when I try to set focus to the date field. How can I set the focus to the field within the subroutine. Here is the subrotuine code: Public Sub CheckDates(date1 As Date) If Not IsNull(date1) And date1 < [Forms]![frmMR...

VB: using a string to set a range object?
I'm a bit new to the excel "range" object type. I was suprised to see that while I can do: dim chunk as Range chunk = .Range(A5:B6) I apparently cannot do: dim chunk as Range dim stuff as string string = "A5:B6" chunk= .Range(string) How can I concatenate up a string describing a range, and then use it to define a range object's target cells? - Ross. Oops, I meant chunk = .Range("A5:B6") in the first example - I forgot the quotes. R. "RGK" <nothanks@nospam.go> wrote in message news:RqydnSWzbu_OEZbeRVn-2A@...

Problem in Setting up CRM server
Hi We are trying to install CRM server. but we getting following error message and we don't know the reason for this. Action Microsoft.Crm.Setup.Server.GrantDatabaseAccessAction failed. ---> Microsoft.Crm.Setup.Common.SetupException: Setup could not complete this action. This might be due to the fact that there are multiple Domain Controllers and they have not replicated new Microsoft CRM information yet. If this is the case you have several options: 1. Go to the domain controller and manually force synchronization. 2. Wait 15 minutes (typically) until the domain controller synchron...

are scripts allowed in exchange 2003?
I used to run a few scripts in exchange 5.5, and now that I'm upgrading to 2003 I can't find how to implement these scripts. How do I keep using my scripts from exchange 5.5 in exchange 2003? Can you give us a bit more information regarding your scripts? Are they VBS accessing WMI information, batch files utilizing resource kit (reskit) utilities, etc. Scripting works with Exchange 2003 and Active Directory...I tinker with VBScripts. I have also used batch scripts to manage Exchange 2000 with the reskit utils. Bob "gigi" <anonymous@discussions.microsoft.com> wro...

Deny Access to Mailbox
Is there any way to deny access to a mailbox for specific users? Essentially my problem is that I want to prevent dom admin A from being able to read dom admin B email from either Outlook or directly from the server. Thanks. neither domain admin should be able to access the other's mailbox...what version of Exchange? do they have SA explicitly or via a group? "Tyler" <anonymous@discussions.microsoft.com> wrote in message news:008b01c3b8f4$20379370$a301280a@phx.gbl... > Is there any way to deny access to a mailbox for specific > users? > > Essentially my ...

Exchange 2003 Enterprise and several mailbox stores
Is there any limitation on how many mailbox stores in a administrative group you can create? For now we have 4 mailbox groups and 1 public folder, when trying to create one more Mailbox-group i get this errormsg: This storage group alreday contains maximum number of stores allowed. ID no: c1034a7a I thought that Enterprise edition had no limit. Kind Regards Peter Kulinski You can create up to 4 storage groups, each containing a maximum of 5 stores. Enterprise Edition has a limit of 20 stores. The 'no limit' you've heard about probably applies to the sizes of each of t...

How to exclude one user from being affected by mailbox limits.
Hi, We are using Exchange 2003 Stadard Edition. We have put a 300MB limit on the mailbox store. However we would like the manager to have a 500MB limit but we can't find anything that would exclude him from being affected from the limits. Can someone shed some light on this for me please? Thanks for your help, Jamie In news:5ACF0054-7FAB-45B8-89D4-41F4359376A2@microsoft.com, Jamie Tanner <JamieTanner@discussions.microsoft.com> typed: > Hi, > > We are using Exchange 2003 Stadard Edition. > > We have put a 300MB limit on the mailbox store. However we would like...

Exchange rules
Hi Our company uses Exchange5.5 and Outlook 2000 email clients. Does anyone know if it is possible to 'deploy' a standard set of rules to all mailboxes, which will be in addition to those already set up by the users using their rules wizard. eg. create a rule for everyone where when a mail with a certain subject is received, it is flagged up on their mail client Thanks for any help R ...

Exchange server recovery
I am running 2 exchange servers in a Windows 2000 AD domain. My 2nd Exchange server has failed and Dell is sending a replacement server. I know that I can run setup and use the /disasterrecovery switch to reinstall Exchange on this new box. My question is: how do I install the replacement server into the domain with the domain already having a server by that name? In other words Poly_ethylene has failed and when I get its replacement I will be loading server onto this box and putting it back into the domain using the same name. How can I do this? I have a full bakup of C: and sys...

excel 2000 message
excel 2000 message - 'cannot use object linking and embedding' Were they hit by the MSBlast worm? One poster (Lutz Meyer) guessed that this was the cause of his problems. I haven't seen any confirmation/denial, but you may want to read his post: http://groups.google.com/groups?threadm=3F3971AF.FA4490F5%40msn.com Post back with your results. I'm curious if that was the problem. (It's come up quite a few times since MSBlast hit.) bill bootle wrote: > > excel 2000 message - 'cannot use object linking and > embedding' -- Dave Peterson ec35720@msn.c...

how do I set up my email with outlook
I have just installed outlook but I can send emails form outlook, what do I need to set up and to link to yahoo? tokyo gyoza wrote: > I have just installed outlook but I can send emails form outlook, > what do I need to set up and to link to yahoo? You have to pay Yahoo if you want to use it in Outlook (via POP). ...

Exchange 2003 OWA #5
I accidentally killed my default website that contained the exchange virtual directories. Can someone tell me how to recreate them? Thanks ...

How to empty a store
I have an exchange 2003 enterprise server, my default private store got corrupted so that it would no longer run an online backup, so I crearted a new private info store in the same group moved the mailboxes to it and it is working ok. However the original default private store is still corrupt and won't mount no matter what I do and I've tried everything. My question is: Can I safely and without having any effect on the other new working stores, delete the edb and stm files for the damaged store mount it answer yes to create a blank database and have a working though blank stor...

set month end
Hi. I need a function to customize month end to the last Friday of each month. So for December 2005, the start date would be (A1) 11-26-05, and the end date would be (A2) 12-30-05. I want to autofill the dates that fall within this range down starting in A3. Any thoughts? =IF(MONTH(A2+28)=MONTH(A2+35),A2+35,A2+28) There will be either 4 weeks(28 days) or 5 weeks (35 days) between month end. so if 4 weeks later is in the same month as 5 weeks later, then it is 5 weeks, if they're different, it's 4 weeks. - Search "Chilliputt" wrote: > Hi. I need a function to ...

Re Outlook 2003 settings
When I setup my POP3 email account in Outlook 2003, it was automatically setup to connect thru LAN, even though my Internet connection is thru 56k modem--at least right now. I do have a built in LAN, but it is not connected at this time. I want to be able to poll for mail. Should I leave it set to LAN and check the modem box to connect when off line? Currently I manually dial my ISP--settings for dial up in Internet Explorer are set to never dial. Do I change this to always dial or will I end up sometimes having 2 dialers running--one from Network connections and one from Internet ...

Outlook 2000 SP3 won't shut down
On an XP SP2 box running Office 200 SP3 when I want to shut down the system, outlook.exe and mapi32 seem to hang. They don't shut down on their own ever. Any ideas? ...

how to store user responses
Using Excel 2000, I have a userform--userform1, with a textbox-- txtquantity1. I'm trying to get the user to enter the quantity for a part number in a quote. There could possibly be as many as 40 different quantities requested by the customer. When the user enters the quantity and presses enter, I'd like to ask them if they have another quantity to enter, or at least provide another textbox so they could enter another quantity and keep generating textboxes until the user is through adding quantities. When they are finished entering the last quantity, the user needs to c...

GAB replication between Exchange 2003 and 5.5
Hello We have exchange 5.5 server in our organization. address book is replicating with Exchange 5.5 of another organization. We want to migrate to Exch2003. How can I remain replication? Thank You! Keep the existing of Exchange SRS Server which is the first Exchange Server 2003 installed under Exchange 5.5 Organization. and keep the Exchange 5.5 Server which has the GAB. do not remove any exchange 5.5 server. Alaa Al-Ankar "Shurick" <Shurick@discussions.microsoft.com> wrote in message news:CF178F7C-F241-4E75-9F07-95AA8BC04E98@microsoft.com... > Hello > > We...

one for you Exchange super geniuses
Assume I have a Small Business Server 2003 network with an Exchange orginization called @abc.com We use the Exchange POP connector to retrieve email on an external POP3 server. This external domain is also called @abc.com We have an address called user1@abc.com which copies all its email to a second email account called user2@abc.com The reason for the copying is that the user2@abc.com address ends up at a PDA device. The Exchange server in the office doesn't check the user2 account. This all works fine. The problem is when a user on the network in the abc.com domain tries to send...

EXchange Active sync users limit
We have been using the Treo 650 smart phones with some amount of success with the Exchange ACtive Sync. We have Approx. ten users who use this functionality right now. We tried adding another person to allow him to use this functionality but for some reason he gets this error when he tries to sync. "There was a problem syncing messages (Sys 05E5) Server returned error for last command. Status:5 None of our other users get this error. And if they did, all Treo users got the error, which was remedied by adjusting the properties to the Exchange Mobile virtual directory. Now no on...

exchange tools listed twice in ADUC right click
We installed exchange but forgot to install the tools option so we did it after. When that happened it locked up with errors part of the way thru. When I restarted after a system reboot and installed them again it now listed in the active directory users and computers extensions twice when you right click on an object. I removed the tools, it removes both entries. I reinstalled and now both entries are back. Where can I find these entries in AD and remove the duplicate. Thanks Comments inline below. -- Ed Crowley MVP "There are seldom good technological solutio...