Announcement

Collapse
No announcement yet.

Exchange 2007 Security question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2007 Security question

    I came into this job with a Exchange 2007 server already setup. The server is runnnig Hub, Trans, CAS and mailbox on one system. It's a small company so it's no big deal.

    My issue is Whe I log into the Exchange server and open the Exchange Managment console to grant a user rights to another user mailbox I dont not have the "Grant Full Access" Permission.

    I run the command
    Add-MailboxPermission "user" -User "other user" -AccessRights FullAccess

    If I run the command again it say's I have the premission but when I try and open the mailbox in outlook it say's I dont have permission. Not sure what else it can be.

  • #2
    Re: Exchange 2007 Security question

    I would be careful with regards to granting full access to another user's mailbox and ensure it is inline with the Company's security policy. Look to see what groups your logon account has been added to. If the wizard for setting Full Access doesn't appear for you, it suggests that you may not have the rights. Have you got the user to grant the access for you, using Outlook? Have you reviewed the security permissions via AD?

    Comment


    • #3
      Re: Exchange 2007 Security question

      Exchange permission changes are not live.
      It can take up to 2 hours before they take full effect. Therefore that is probably why you don't have access.

      Presume that you do not have access to any mailbox, make the permission change, then try and access the mailbox. That way you will not get caught with the permissions cache.

      Simon.
      --
      Simon Butler
      Exchange MVP

      Blog: http://blog.sembee.co.uk/
      More Exchange Content: http://exchange.sembee.info/
      Exchange Resources List: http://exbpa.com/
      In the UK? Hire me: http://www.sembee.co.uk/

      Sembee is a registered trademark, used here with permission.

      Comment


      • #4
        Re: Exchange 2007 Security question

        I am the Network admin and I have domain admin rights. Plus the box I ned access to is our Helpd Desk box. Also I dont se any service paxcks on the Exchange server, could this be part of the problem? I used the
        Add-MailboxPermission "helpdesk" -User "user" -AccessRights FullAccess
        This worked fine but I would like to have the GUI. I also have the Admin group I'm in to allowed full access to Exchange.

        Comment


        • #5
          Re: Exchange 2007 Security question

          Why do you need full access to Exchange?
          I have never sought nor required access to everything to operate Exchange servers correctly.

          Furthermore, if you own account has domain admin rights, then your account will be blocked from having access to mailboxes. Exchange will actively remove it.
          You need to move to the split admin model, where your own account does not have domain admin rights and you have a special domain admin account that is not used for day to day access. That is how the world is moving and how Exchange is designed to operate.

          However I do not think any Exchange administrator needs to have access to all mailboxes by default.

          The GUI and command line do the same thing.
          While lack of service packs is something that should be corrected sooner rather than later, it will not change this issue, as that is how Exchange is designed to work.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Exchange 2007 Security question

            Originally posted by Sembee View Post
            Why do you need full access to Exchange?
            I have never sought nor required access to everything to operate Exchange servers correctly.

            Furthermore, if you own account has domain admin rights, then your account will be blocked from having access to mailboxes. Exchange will actively remove it.
            You need to move to the split admin model, where your own account does not have domain admin rights and you have a special domain admin account that is not used for day to day access. That is how the world is moving and how Exchange is designed to operate.

            However I do not think any Exchange administrator needs to have access to all mailboxes by default.

            The GUI and command line do the same thing.
            While lack of service packs is something that should be corrected sooner rather than later, it will not change this issue, as that is how Exchange is designed to work.

            Simon.

            I understand the security thing but this is how this server was setup and having to have 2 diffrent accounts, one with domain admin rights and one without that's not how this company is moving at the time. Like I said I just came into this job and have a lot of work too do. Plus coming into an enviroment with people that have been here for more than 10 yreas it's a hard sell.

            Anyway this still does not reslove my issue. If I log into the server with the admin account I still don't see the option to grant access to a mailbox.

            Comment


            • #7
              Re: Exchange 2007 Security question

              The fact that has been done for the last so many years doesn't really matter. The way that Microsoft's products are now designed is to use the split permission model. If you have domain admin rights then permissions will be removed by Exchange automatically. The quicker you move to that model the easier life will be.
              Having a single account to do everything is a bad move because if you are logged in to a workstation and browse to a site with a unpatched zero day flaw, then its in, nothing you can do about it. If you don't have anything more than local admin rights then the compromise doesn't get very far.

              Going back through the question, the ability to use the GUI to set Full Mailbox and Send As permissions was first introduced in SP1. If you don't have SP1 on the machine I suggest that you get it installed - although the preference should be SP2 or SP3, as SP1 is very old.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment

              Working...
              X