OWA Users have full access to other users folders

I have an Exchange 2003 Server with users using a mix of Outlook 2003
and OWA for email access.  The users' calendars are shared company-wide
for read/write access, while all other folders are restricted to no
access/invisible.  These restrictions work fine throughout the company
when using Outlook.  However, if any user browses to an address such
as:

https://exchange/user_name/calendar

they are presented with the standard OWA login screen.  After logging
in with their own account, they are able to view and interact with any
other account specified by the "user_name" above.  This includes
sending emails, deleting messages, etc.  Ideally, I would like them to
have OWA calendar access only.  I have gone through the security
settings within ADUC, System Manager, and IIS Manager and cannot seem
to find where the appropriate settings reside.  Any assistance or
suggestions would be appreciated.  Thanks in advance.

0
10/11/2006 5:13:39 PM
exchange.admin 57650 articles. 2 followers. Follow

10 Replies
778 Views

Similar Articles

[PageSpeed] 11

On 11 Oct 2006 10:13:39 -0700, troy.litwiler@gmail.com wrote:

>I have an Exchange 2003 Server with users using a mix of Outlook 2003
>and OWA for email access.  The users' calendars are shared company-wide
>for read/write access, while all other folders are restricted to no
>access/invisible.  These restrictions work fine throughout the company
>when using Outlook.  However, if any user browses to an address such
>as:
>
>https://exchange/user_name/calendar
>
>they are presented with the standard OWA login screen.  After logging
>in with their own account, they are able to view and interact with any
>other account specified by the "user_name" above.  This includes
>sending emails, deleting messages, etc.  Ideally, I would like them to
>have OWA calendar access only.  I have gone through the security
>settings within ADUC, System Manager, and IIS Manager and cannot seem
>to find where the appropriate settings reside.  Any assistance or
>suggestions would be appreciated.  Thanks in advance.

Sounds like you have over-enabled the users permissions.
So, first thing to look for is "Full Mailbox Access" on the user
account properties. Is that right there and if so, who or what group
has it ticked?
0
mark7219 (5666)
10/11/2006 6:14:46 PM
Thanks for the quick response Mark.  The only users with "Full mailbox
Access" are the expected accounts - Admin, Domain Admin, Enterprise
Admin, and Self.  Also - wouldn't this affect the restrictions within
Outlook as well?  As I said, it appears as though only OWA is affected.
 The appropriate restrictions appear to be in place within Outlook - ie
users can only access other users Calendars.  The only folders remain
inaccessible.


Mark Arnold [MVP] wrote:
> On 11 Oct 2006 10:13:39 -0700, troy.litwiler@gmail.com wrote:
>
> >I have an Exchange 2003 Server with users using a mix of Outlook 2003
> >and OWA for email access.  The users' calendars are shared company-wide
> >for read/write access, while all other folders are restricted to no
> >access/invisible.  These restrictions work fine throughout the company
> >when using Outlook.  However, if any user browses to an address such
> >as:
> >
> >https://exchange/user_name/calendar
> >
> >they are presented with the standard OWA login screen.  After logging
> >in with their own account, they are able to view and interact with any
> >other account specified by the "user_name" above.  This includes
> >sending emails, deleting messages, etc.  Ideally, I would like them to
> >have OWA calendar access only.  I have gone through the security
> >settings within ADUC, System Manager, and IIS Manager and cannot seem
> >to find where the appropriate settings reside.  Any assistance or
> >suggestions would be appreciated.  Thanks in advance.
>
> Sounds like you have over-enabled the users permissions.
> So, first thing to look for is "Full Mailbox Access" on the user
> account properties. Is that right there and if so, who or what group
> has it ticked?

0
10/11/2006 6:20:59 PM
Yes indeed, my bad.
Needs more thought.
0
mark7219 (5666)
10/11/2006 6:30:19 PM
What version of Exchange are you running is it 5.5

"Mark Arnold [MVP]" wrote:

> Yes indeed, my bad.
> Needs more thought.
> 
0
Skip1 (502)
10/11/2006 7:56:02 PM
Nope - Exchange 2003 R2, fully service packed and updated.


skip wrote:
> What version of Exchange are you running is it 5.5
>
> "Mark Arnold [MVP]" wrote:
> 
> > Yes indeed, my bad.
> > Needs more thought.
> >

0
10/11/2006 8:09:40 PM
Bump

troy.litwiler@gmail.com wrote:
> Nope - Exchange 2003 R2, fully service packed and updated.
>
>
> skip wrote:
> > What version of Exchange are you running is it 5.5
> >
> > "Mark Arnold [MVP]" wrote:
> > 
> > > Yes indeed, my bad.
> > > Needs more thought.
> > >

0
10/24/2006 2:09:10 PM
I have the same problem with my exch2003 server. I have enabled forms based 
auth, but once logged on, i can access other users' mailboxes by typing their 
name in the url. I don't know if it has something to do with upgrading from 
exch2000, but I did notice that when i try to remove usernames from the 
mailbox security, it says that this object is inheriting permission from the 
parent, but the inheritance box doesnt even show up to uncheck it. So I have 
explicitly denied permisions to users and groups that should not have access. 
They still can if they type the name in the url.

"troy.litwiler@gmail.com" wrote:

> Bump
> 
> troy.litwiler@gmail.com wrote:
> > Nope - Exchange 2003 R2, fully service packed and updated.
> >
> >
> > skip wrote:
> > > What version of Exchange are you running is it 5.5
> > >
> > > "Mark Arnold [MVP]" wrote:
> > > 
> > > > Yes indeed, my bad.
> > > > Needs more thought.
> > > >
> 
> 
0
11/16/2006 5:46:01 PM
Hi Jay.  I finally figured out my problem and was able to resolve it.
I had created  a group policy to allow all my users to have local admin
access to their PCs (legacy software requirement).  Somehow, that also
gave them local admin privileges to the exchange server.  So - while
they couldn't login at the console or directly administer the domain -
they still had access to all of the other users' exchange folders.  I
deleted this policy and suddenly everything worked.  Hope this helps.

On Nov 16, 12:46 pm, j...@stoltenberg.com
<jaystoltenberg...@discussions.microsoft.com> wrote:
> I have the same problem with my exch2003 server. I have enabled forms based
> auth, but once logged on, i can access other users' mailboxes by typing their
> name in the url. I don't know if it has something to do with upgrading from
> exch2000, but I did notice that when i try to remove usernames from the
> mailbox security, it says that this object is inheriting permission from the
> parent, but the inheritance box doesnt even show up to uncheck it. So I have
> explicitly denied permisions to users and groups that should not have access.
> They still can if they type the name in the url.
>
> "troy.litwi...@gmail.com" wrote:
> > Bump
>
> > troy.litwi...@gmail.com wrote:
> > > Nope - Exchange 2003 R2, fully service packed and updated.
>
> > > skip wrote:
> > > > What version of Exchange are you running is it 5.5
>
> > > > "Mark Arnold [MVP]" wrote:
> 
> > > > > Yes indeed, my bad.
> > > > > Needs more thought.

0
11/22/2006 8:11:47 PM
Hi troy, i am facing the same problem....would you tell me how did you 
solve the problem ??

thanks a lot

troy.litwiler@gmail.com wrote:
> Hi Jay.  I finally figured out my problem and was able to resolve it.
> I had created  a group policy to allow all my users to have local admin
> access to their PCs (legacy software requirement).  Somehow, that also
> gave them local admin privileges to the exchange server.  So - while
> they couldn't login at the console or directly administer the domain -
> they still had access to all of the other users' exchange folders.  I
> deleted this policy and suddenly everything worked.  Hope this helps.
> 
> On Nov 16, 12:46 pm, j...@stoltenberg.com
> <jaystoltenberg...@discussions.microsoft.com> wrote:
>> I have the same problem with my exch2003 server. I have enabled forms based
>> auth, but once logged on, i can access other users' mailboxes by typing their
>> name in the url. I don't know if it has something to do with upgrading from
>> exch2000, but I did notice that when i try to remove usernames from the
>> mailbox security, it says that this object is inheriting permission from the
>> parent, but the inheritance box doesnt even show up to uncheck it. So I have
>> explicitly denied permisions to users and groups that should not have access.
>> They still can if they type the name in the url.
>>
>> "troy.litwi...@gmail.com" wrote:
>>> Bump
>>> troy.litwi...@gmail.com wrote:
>>>> Nope - Exchange 2003 R2, fully service packed and updated.
>>>> skip wrote:
>>>>> What version of Exchange are you running is it 5.5
>>>>> "Mark Arnold [MVP]" wrote:
>>>>>> Yes indeed, my bad.
>>>>>> Needs more thought.
> 
0
k
2/13/2007 2:58:40 AM
Hi Troy, i am facing the same problem, would you tell me how did you 
solved the problem??

many thanks
Alex




Hi Jay.  I finally figured out my problem and was able to resolve it.
I had created  a group policy to allow all my users to have local admin
access to their PCs (legacy software requirement).  Somehow, that also
gave them local admin privileges to the exchange server.  So - while
they couldn't login at the console or directly administer the domain -
they still had access to all of the other users' exchange folders.  I
deleted this policy and suddenly everything worked.  Hope this helps.

On Nov 16, 12:46 pm, j...@stoltenberg.com
<jaystoltenberg...@discussions.microsoft.com> wrote:
> I have the same problem with my exch2003 server. I have enabled forms based
> auth, but once logged on, i can access other users' mailboxes by typing their
> name in the url. I don't know if it has something to do with upgrading from
> exch2000, but I did notice that when i try to remove usernames from the
> mailbox security, it says that this object is inheriting permission from the
> parent, but the inheritance box doesnt even show up to uncheck it. So I have
> explicitly denied permisions to users and groups that should not have access.
> They still can if they type the name in the url.
>
> "troy.litwi...@gmail.com" wrote:
> > Bump
>
> > troy.litwi...@gmail.com wrote:
> > > Nope - Exchange 2003 R2, fully service packed and updated.
>
> > > skip wrote:
> > > > What version of Exchange are you running is it 5.5
>
> > > > "Mark Arnold [MVP]" wrote:
> 
> > > > > Yes indeed, my bad.
> > > > > Needs more thought.
0
k
2/13/2007 3:00:46 AM
Reply:

Similar Artilces:

[Access 2007] How to edit custom menubar created in Access2003?
Hello, This is my first post to this server, Hello everyone. We're working on a database created by my collegue in MS Access 2003. Since some time we've moved to MS Access 2007. Now we find problems editing the menubar. Each time we want to remove/add/alter a menu item my collegue goes to his MS Access 2003 and changes a menu. In 2007 the full menubar is visible under Add-Ins ribbon menu. Normally there should be a system table USysRibbon, but it is not there. There are only MSys* objects. How can we change the menubar directly in MS Access 2007? Is that possible at al...

Access 2003 resets form variables during debugging while the form is open
Hello, I am using MS Access 2003. (FWIW, this is about an ADP project, not MDB.) A form has a variable that is initialized (by some function call) in Form_Load() and then stays unchanged for the form's entire lifetime. (In a language more advanced than VBA, it would be a constant, not a variable; unfortunately, in VBA I cannot initialize a constant by non- constant expression). Specifically, in my case it looks like this: Private sTempFileName as String ... Private Sub Form_Load() ... sTempFileName = GenerateTempFileName(...) ... End Sub Priv...

How to link with an Access DB
Hi, I have an Acces DB with many tables. I need to choose the name of a customer in a cell of Excel. For example, in acces I have this tables: Table1 Id Name Last Name City I need to choose the last name from a drop down menu in a spreadsheet and then in other cell I need to put all the data regarding the last name that I choose. I hope to be exaustive, and sorry for my english. :-) Many Thanks Stefano ...

Access 97 can't resize database window
My database window with the listings of forms tables etc was adjusted to a smaller width, but resizing it is completely disabled and renders Access 2007 utterly useless for me. Is there anyway to 'reset' the window? ...

OWA. CA's. and Exchange 2007
The other day, I had to renew the Certificate on my Exchange 2007 server. Everything seemed to go alright, but eventually I received complaints that outbound email wasn't being sent. Looking at EMC showed all of the email queued up and waiting for something. After I relaxed the settings on my router (Allowed all outbound SMTP instead of restricting it to the Exchange server sending to MxLogic) all of the outbound email went though. I also was receiving reports of Webmail being broken (which was halfway fixed with the help of http://www.microsoft.com/technet/support/ee/transform.aspx?Pr...

users with restricted access
We have some users that we have directed to only get their information from a report that has been set up. Because of that, I set up a parameter query to make the information more easy to see. The parameter query prompts for last name or broker #, is there a way, when the last name is entered to include Jr's & Sr's? Or should this be another field in the table to make the last name field more accurate? ...

Offline Folders #5
I am trying to get an outlook client setup so that it automatically opens offline without prompting the user. Does anyone know if this is possible, if so how to do it. Thanks Phil pearson In the properties of the e-mail account (Tools, Options, Mail Setup, E-mail Accounts, View or Change existing e- mail accounts) if this is an Exchange e-mail account, highlight it and hit Change, then More Settings. Select Manually Control Connection State, then select Work Offline and Use Dialup Networking. This should give you the desired effect. >-----Original Message----- >I am trying ...

Access 97/2000/2003 comparisons
I have a rather large application that uses an access 97 database (DAO). We also have a version that works with access 2000, Oracle, msde, and SQLServer (ADO). We would like to retire the DAO version of the product, but there are places where the ADO version is much slower compared to where we run DAO seeks (very noticeable when looping). So, I have a few questions. 1. Are there any tips/tricks to speed up ADO queries to compare with DAO seeks? 2. Would there be any benifit in using access 2003 over previous versions of the software besides the added features (xml support, etc). 3...

Using later version of microsoft access
Hi, I've got access 2000 on my computer. When I go to open a database someone sent me I get an error message : this database is in an unrecognized format. The database may have been created with a later version of microsoft access. Is there any way I can open and use this file (short of upgrading to later version of access)? If you do not have Access 2002 or 2003, ask the person to save it in Access 2000 format for you. -- Allen Browne - Microsoft MVP. Perth, Western Australia. Tips for Access users - http://allenbrowne.com/tips.html Reply to group, rather than allenbrowne at m...

Office 2007 forms
I am creating a form with office 2007, will those people who do not use office 2007 be able to fill in my form? should I save it in a particular format? thanks Provided you start from the normal template, don't use fonts that were introduced with Word 2007, and save the form in Word 97-2003 document format, anyone with Word 97 or later should be able to open it. Use only the legacy form fields, to which end http://gregmaxey.mvps.org/Classic%20Form%20Controls.htm will make things easier. -- <>>< ><<> ><<> <>>< ><<...

SBS 2003 moving of users files
I run SBS 2003 and due to the amount of data on the users drive it has become chokers and have installed a new 1tb drive to keep up with demand for space. I need to move all the data to the new drive but unsure of the process. Is there an easy way of doing this? As it needs to be done asap Thanks -- JimmyJames ------------------------------------------------------------------------ JimmyJames's Profile: http://forums.techarena.in/members/255792.htm View this thread: http://forums.techarena.in/small-business-server/1357051.htm http://forums.techarena.in You c...

Mail enabled public folders / spam
Hello, For each of my users inbox I have exchange mark mail with the SCL and move anything over my threshold into their junk mail folder. This works pretty well and eliminates nearly all of the spam we get. I have not thus far managed to work out how to get this working for mail enabled public folders. How can I set this up (perhaps nominating anotehr folder as the 'junk mail' folder) or something similar? TIA, Nick ...

no access to send internet email
Hi, Exchange 2003. Can a mail enabled user be restricted to send internal email only and not internet email? Nich Hello, > Exchange 2003. Can a mail enabled user be restricted to send internal email > only and not internet email? yes, that is possible. There are multiple ways to archive this goal. Depents on your infrastructure,too. If you have mailing to external over an SMTP Connector, try this: First look into your SMTP Connector, you will find Delivery Restrictions there. It is self explaining. If you have trouble with that or you won't find it, then i will need additi...

User unknown
I made a new user on the exchange server, but if i want to make the account in outlook, Outlook says: "the name could not be matched to a name in the adresslist" I don't know what to do anymore. All the rights are the same as my collegea. can somebody help me? Go back to AD where you created the account, preferably on the Exchange Server. Is there an email address listed? If there isn't then right click on the Recipient Update Service in ESM and click update now. Advise what happens then... >-----Original Message----- >I made a new user on the exchange server, b...

Outlook 2003
In Outlook 2003, #1 Is there a way to refresh the unread folder so that read messages no longer apear? Right now I have to click closed the unread folder and click it again #2 Is there a way to create a toolbar button that goes directly to a subfolder? Thanks ...

exclude administrator login to OWA ?
Is it possible to prevent the Domain Administrator account (which has a mailbox) from being able to log on to OWA from outside ? This would be meant as a security precaution. Exch 2000, AD 2003. Thanks. On Wed, 14 Dec 2005 19:51:28 GMT, "JAQK" <johnny@tamtam.com> wrote: >Is it possible to prevent the Domain Administrator account (which has a >mailbox) from being able to log on to OWA from outside ? > >This would be meant as a security precaution. > >Exch 2000, AD 2003. > > > >Thanks. > > > In ADU&C on the Exchange server g...

Remade Folders, Now Old Email Gone
I created a couple new profiles so I could separate my work and personal emails when I work from home. At the end of the process, when prompted by Outlook to remake my folders, I foolishly remade my folders. Now, all my old emails which were in my Inbox have gone missing. I searched for pab and pst files but they are not to be found. Any ideas will be most appreciated. Geoff You didn't even post your Outlook version or operating system. How are we supposed to help? -- Russ Valentine [MVP-Outlook] "Geoff Robinson" <geoffr2@aol.com> wrote in message news:978b35e2.0406091...

Can't re-enter a previously deleted User ID
We changed the spelling of a User ID (applewicks to appelwicks) and then deleted it (since he couldn't remember his password and the button for password was greyed out so we couldn't change it.) And now we can't re-enter the same user ID even though it doesn't appear in the window any longer. Here is the error we get: ODBC SQL server driver: The log in appelwicks already exists. Thanks! I believe you have to delete the old ID through Enterprise Manager as well. "cliffs" wrote: > We changed the spelling of a User ID (applewicks to appelwicks) and then ...

Default User object security
Windows 2003 SP2 I am trying to fix a problem where delegation of control is not working properly to usr OUs. I ca't seem to keep permissions on user account objects that allow user accounts to be moved between OUs. I think it may be related to protected account membership on the user objects themselves. ALso the "inherit permissions from parent" is unchecked on user objects. Certain user new user objects work fine and are inheriting. What are the default security to use on user objects so that i can remvoe membership from protected groups and how should I a...

how to know how many e-mail each user receives per day?
We are running Exchange 2003 on Windows 2003. I would like to know how to get an average of how many e-mails each users send and receives per day. ...

insufficient privilege to control the folder
Hello, Has anyone seen anything like this before? A short time ago my Outlook INBOX suddenly became empty. I had clicked on an email to delete it. When I attempted to delete it said that I had insufficient privilege to control the folder. Then all emails disappeared. Email still comes in but I can't find all the other email I had in my INBOX in the deleted items or any other folder. Thanks, Dan ...

upgrading from Access 97 to Access 2007
I designed a database (forms, reports, et al) several years ago in Access 97 and it continues to work well. I've just received a MS Office Professional 2007 and wonder if it is time to migrate my data into the new program. I've attempted two or three times to do this in Access 2002 and I keep getting error messages along the line of "...corrupted file..cannot be opened by Access 2002 (or some such message)..." The help radio button opens up a box which suggests I do some programming in Virtual Basic to perform my transfer task. The easy way out, of course, is to sti...

calendar for multiple time zone users: all day events
Users in different time zones post absences and meetings to a shared company calendar. When an all day event is scheduled in one time zone, it shows as spanning two days for other time zone users. How do we make this work properly? For the others it does intrude on a second day. BossLady wrote: > Users in different time zones post absences and meetings to a shared company > calendar. When an all day event is scheduled in one time zone, it shows as > spanning two days for other time zone users. How do we make this work > properly? Until you upgrade to Outlook...

Public folder and subfolders
Is there a way to have public folder client permissions propogate to subfolders either automatically or manually? I have several public folders I am making for different departments. I would like to give the individual departments access to the public folder and it's subfolders by using exchange 2003's mail enabled security groups. Example: Accounting Calendar Tasks Contacts The way it is working now I need to setup the subfolders permissions separately from the main folder if I created them before applying permissions to the main folder. the pfdavadmin tool is great for p...

Excel and Access
Hi All, I admit I am a complete novice on this aspect of using Excel. My requirement is as follows. I have an Access Database called nt1.mdb on drive D: in which there is one table (Table1) of data, indexed on column1 I wish to connect to this database and search the contents of Table1 for a value in column1 that has been entered into an Excel userform. The values of the other columns in Table1 should be returned if the value is found. How do I connect to the mdb, do the search and read the resulting values from the table? Any help gratefully received. Cheers There's sample ...