User has permissions to all mailboxes- can't figure out how

[PhilTA]

I have a very challenging issue here with a user (User1) who appears to have full access to everyone's mailbox. However checking the following does not show any permissions that would give User1 the full access. I checked:

-client level permissions from Outlook(mailbox level and all subfolders)- nothing granted to User1
-ran "Get-MailboxPermission –ID User2 –User User1" (returns no permissions for User1)
-checked security groups for User1 (only standard level user groups)
-checked Exchange Organization permissions (nothing granted to User1)
-checked Delegates (nothing for User1)

This User1 can open any mailbox. This User1 can add a new Outlook profile and click on "check name" and resolve another user's name without getting prompted for credentials.

Any ideas here? This is obviously a serious security problem.

 

[Cstorms]

Have you used get-adpermission at all? That might be another way to parse through some data to see where they are getting the access.



Cory

 

[PhilTA]

get-adpermission isn't returing anything explicitly for User1 on any other user accounts

 

[58sniper]

Try this

[url=http://technet.microsoft.com/en-us/library/bb123685(EXCHG.80).aspx]Get-Mailbox[/url] -ResultSize Unlimited | [url=http://technet.microsoft.com/en-us/library/aa998218(EXCHG.80).aspx]Get-MailboxPermission[/url] -User <Active Directory User> | [url=http://technet.microsoft.com/en-us/library/bb978645.aspx]Format-Table[/url] Identity, AccessRights, Deny

If it comes back relatively empty, then the user has rights as part of some group membership.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[TechyMcSe2k]

Was user1 the installer of Exchange? In testing install of exchange with my account, i was considered supreme user of exchange of all accounts on that server. Also, go into ADUC and make sure Advanced is checked. Under Microsoft Exchange System Objects: Check the security there for indivual accounts (user1) Also, in ADSIEdit Go under Configuration to CN=Services;CN=Microsoft Exchange check the security on that point as well.

 

[PhilTA]

Thanks for good tips guys. So far no luck.

58Sniper
Sure enough that PS command returned nothing. The only group membership for this user is Domain Users, a distribution list, and a security group that is common among all users (with nobody else having this full access)

TechyMcSe2k
The user was not the installer of Exchange. I also checked those other objects and it came up with nothing for that user. I was wondering however, if perhaps when this user account was created, if it was copied from one of the admin accounts. Even though this user doesn't have any admin group memberships, perhaps something could have remained?

Also, ONE thing I did find is that at the domain level, this user is granted the extended rights of "Create top level public folder" and "create public folder". Is there any chance that this can somehow tie in with the full access to mailboxes?

 

[TechyMcSe2k]

Delete his account and make a fresh one. Sounds like you are his boss so this shouldn't be a problem. I would actually give him a new one, and disable his old one for a while just to make sure it is not linked to something that brings the environment down.

 

[58sniper]

Also, ONE thing I did find is that at the domain level, this user is granted the extended rights of "Create top level public folder" and "create public folder". Is there any chance that this can somehow tie in with the full access to mailboxes?

No - that won't do it.

The user was not the installer of Exchange. I also checked those other objects and it came up with nothing for that user. I was wondering however, if perhaps when this user account was created, if it was copied from one of the admin accounts. Even though this user doesn't have any admin group memberships, perhaps something could have remained?

Try this

Get-ExchangeAdministrator | where {$_.Identity -match "username"}

obviously, replace "username" with the user's actual name, like "58sniper". See if it shows up there.

Delete his account and make a fresh one. Sounds like you are his boss so this shouldn't be a problem. I would actually give him a new one, and disable his old one for a while just to make sure it is not linked to something that brings the environment down.

That would change his legacy DN, which might cause problems if people reply to earlier messages from this user.

I'm not inclined to recreate the user account. Crank auditing up on the server so that at least you have a record of what the user is accessing.

If none of these work, I'd rip the user out of all of their groups and see if the problem persists. If it does, let me know.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[58sniper]

I forgot to mention that you should be able to do something like

Get-ADPermission "pat richard" | ft user, deny, IsInherited, AccessRights -auto

And that should show you all rights to the mailbox. Replace the name with a random account you know this user can access. The resulting list will show all rights to the mailbox, and should help you narrow down where the user is getting rights from.

Let me know if this helps.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/