Unexpected Permissions Appearing on Exchange Server Mailboxes

Over on Reddit there’s a question about unexpected permissions appearing on mailboxes.

Exchange mailbox user objects inherit a number of permissions that are necessary for the day to day running of the Exchange Server environment. These are a mixture of permissions that Exchange Server computer accounts need, as well as the permissions for the various administrative roles.

Non-inherited permissions include those such as granting a user full access to another user’s mailbox.

However, sometimes when looking at the permissions on a mailbox an admin will notice users or groups that have permissions to the mailbox via inheritance.

Usually I find this is due to the lazy administrative approach of granting the permissions at the mailbox database level. For example, this command will grant Alan Reid full access to all mailboxes in the database DB01.

[PS] C:\>Get-MailboxDatabase DB01 | Add-ADPermission -User alan.reid -AccessRights GenericAll
Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
DB01                 ESPNET\Alan.Reid     False False

Alan can now open any of those mailboxes in DB01, any time he wants to. This might seem convenient, but it is not a very good approach from an auditing perspective. I much prefer that admins grant themselves access to mailboxes on a case by case basis, then remove them afterwards. These actions are then logged in the admin audit log and can be correlated against things like support tickets raised by the end user, or approval emails from a manager.

If you suspect this has happened in your environment you can look for non-inherited permissions at the mailbox database level, for example:

[PS] C:\>Get-MailboxDatabase DB01 | Get-ADPermission | Where {$_.IsInherited -eq $false}
Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
DB01                 ESPNET\Alan.Reid     False False

Removing the permissions is easy as well.

[PS] C:\>Get-MailboxDatabase DB01 | Remove-ADPermission -User alan.reid -AccessRights GenericAll

This article Unexpected Permissions Appearing on Exchange Server Mailboxes is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com