1

I just started working for this small firm (30 people) a little bit ago, replacing their System Admin. First thing I noticed was Exchange Server 2010 was WAY out of date. Believe it or not they did not have SP1 installed. So after I installed and configured Exchange 2010 SP3 and redirected OWA I noticed something in OWA. I could add ANYONE's User Mailbox WITHOUT giving mailbox premission. I created a couple test users, same thing. I even had another employee provide me access to their OWA and they could open anyone's Inbox without granting permission. I don't want to play the blame game, but I was SHOCKED that this was going on. Luckly being such a small company I'll be able to cover this mistake that I did not create, BUT HOW?

My guess is that I need to find out where the past System Admin went wrong in providing Full Access Permission? Or could this be a Auto-Mapping issue?

I found this article: http://technet.microsoft.com/en-us/library/hh529943.aspx

This might work $FixAutoMapping = Get-MailboxPermission sharedmailbox |where {$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false} $FixAutoMapping | Remove-MailboxPermission $FixAutoMapping | ForEach {Add-MailboxPermission -Identity $_.Identity -User $_.User -AccessRights:FullAccess -AutoMapping $false}

However how do I insert the above code into Powershell?

Again I was thrown into this mess and I'm just trying to iron out this tangled mess.

Colyn1337
  • 1,228
Benjamin Jones
  • 684

1 Answers1

2

Permissions for mailboxes are set at two different levels. You can define permissions at the database level and at the mailbox level. The mailboxes will inherit access right permissions from the database so I'd recommend you start there. The powershell code to see who has rights and what those rights are at the database level is:

$Database = "your database name here"
Get-ADPermission $Database | Where-Object {$_.Deny -eq $False} | Select User,AccessRights

That code will give you a dump of who has DB rights (I'm betting "Everyone" or "Authenticated Users" has full access). Use the Add-ADPermission and/or Remove-ADPermission cmdlets in order to re-mediate, remove, and change access rights.

Since you're new to Exchange administration, be extremely careful and use the -Whatif option where possible. You may also want to consider bringing in an Exchange Administrator on a contract to look over your network and ensure configuration is correct and proper.

Colyn1337
  • 1,228