Re: Exchange Mailbox created by users without Exchange access

Tech-Archive recommends: Fix windows errors by optimizing your registry

<RealDeal1@xxxxxxxxxxxxx> wrote:

I'm noticing an issue with some A/D domain admins copying accounts and
having the mailboxes created even though they don't have any Exchange 2003
permissions.

Domain Admins have the necessary permission to read the contents of
the Configuration container in the AD -- that's all they need to
create mailboxes, just like a "View-only Admin".

These users do not have view only nor any higher exchange
permissions. They are simple domain admins. They are creating the accounts
from their local DC. The users do not even get a prompt about which exchange
store to create the account in. It is automatic and in fact does not follow
the default naming convention. It puts the whole name in the automatically
generated E-mail address instead of putting first intial + last name.

"It" is the Domain Admin, not the software. If you check one of the
accounts, the "E-mail" address (the "mail" property) is populated but
not the "Email Addresses" (the "proxyAddresses" property), is that
correct? If "it" was the RUS then the proxyAddresses would be
populated and the primary SMTP proxy address would be placed into the
mail attribute.

I've
been deleting all email attributes for these accounts and then recreating
the mailbox and then the default naming convention is corrected. But this
leaves me with an extra step and an orphaned mailbox.

Are you removing the /Exchange/ attributes from the user by
right-clicking the user and selecting "Exchange tasks" from the
context menu? Or are you just using the ADUC and clearing the "E-mail"
property? The two aren't the same.

We are using Exchange 2003 with Windows 2003 R2 DCs.

Has anyone else seen this issue?

Only if the person creating the user supplies the e-mail address. If
they do that the RUS won't touch the user so no mailbox is ever going
to be created.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx
.

Relevant Pages

  • RE: send email with exchange in a domain and SBS
    ... If you want to share one user's mailbox to others, ... Exchange server. ... Right click the folder and click Properties. ... In the Permissions tab, ...
    (microsoft.public.windows.server.sbs)
  • Re: Mailbox Access
    ... If a user a member of Domain Admins group then he/she can access to mailbox ... Must the users have "Logon locally" permission on Exchange? ... > It should be Full Mailbox Access, and Read Permissions. ... >> mapped to thier accounts during the ADC setup and Exchange ...
    (microsoft.public.exchange.admin)
  • Re: Exchange 2003 Custom Application, read emails from sereval mai
    ... the permission that Michael mentioned is a special one in Exchange. ... This one right will give the user full access to everybodies mailbox... ... Another thing you can do with WebDAV is to use the administrative root. ... > understand how to set the correct permissions in exchange. ...
    (microsoft.public.exchange.development)
  • Re: Exchange 2003 - Giving a user full rights to read/write all ma
    ... Click the advanced tab when you go to the security tab of the mailbox ... mailbox store or public store, ... but I'll list the only permissions I have available to me in that ... see that "Allow Impersonation to Personal Exchange Information" ...
    (microsoft.public.exchange.admin)
  • Re: Exchange mailbox permissions storage
    ... When you create a mailbox, it inherits permissions from the mailbox store. ... Exchange Server 2003" at ...
    (microsoft.public.exchange2000.active.directory.integration)