Re: AD Create New User - Mailbox Rights

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi Jeff,
Looks like you might have "Creator Owner" of the mailbox having "Full
Control" rights to the mailbox.
Can you kindly confirm if your Exchange Mail Store conforms with the rights
stipulated in this link: http://support.microsoft.com/kb/328229

Regards,

Austin

"Jeff" <Jeff@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A15FD9DF-6E48-4F67-BC28-F0ED34F27651@xxxxxxxxxxxxxxxx
No other rights or group memberships exist anywhere. These are newly
created
objects with the following steps.

Created a NEW group called "Helpdesk"
Created a NEW user called TestAdmin
Put TestAdmin in "Helpdesk" group
Delegated "Helpdesk" group Exchange Administrator View Only to the First
Administrative Group
Delegated "helpdesk" Create user on an OU which contains users objects
Logged on as Testadmin
Created a new account called TestUser with an exchange mailbox
Open properties of TestUser
Clicked on Exchange Advanced tab
Clicked on Mailbox Rights Button
Was able to add TestAdmin with "Full mailbox access" to TestUser's acct.
Opened Outlook and proxied over to view TestUser's mailbox.

Obviously having the ability to do this is NOT desired...how can it be
prevented is the question?

Thanks in advance,
Jeff



"Jorge Silva" wrote:

Hi
Is that user member of any other security group with more permissions? Or
probably that user was assigned full control to that mailbox.

--
===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"Jeff" <Jeff@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5266EB4C-2153-492E-89A8-8F32641FF148@xxxxxxxxxxxxxxxx
Exchange 2003 SP2
Windows 2000 AD with SP4

The Delegation of Control Wizard (users and computers) was run on an OU
and
the group "helpdesk" was given "Create, Delete, and Manage User
Accounts"
permissions.

The Delegation of Control Wizard was then run at the Exchange
Administrative
Group Level and the "helpdesk" group was given "Exchange View Only
Administrator" access.

After these two steps, memebers of the group "helpdesk" can create user
accounts along with a mailbox as you would have guessed.

However, a member of the group "helpdesk", after creating a new
account,
can
go into the account and give thier self/user account full mailbox
access
to
that newly created account. This is NOT desired.

Strangely, a member of the "helpdesk" group cannot do the same for a
pre-existing account....only the accounts that they create.

How can this be prevented? Which one, or combination of, the 200+
exteneded
permissions would revoke or prohibit this?

Thanks in advance,
Jeff






.

Quantcast