Got a bit of a problem with a site, where all users on the domain can access all users mailboxes.
We're not sure what caused this, but obviously its a major concern, however, for the life of us we cant find where this permissions set it.
It is an SBS 2000 server with Exchange 2000 on it.
We have been through the lot that seems relevant with ADSIEdit, PFDavAdmin, and done permissions dumps with ADModify.net and various VBS scripts, but cant seem to shed any light on it all.
An ADModify.net dump resembles this on every single account
--------------------------------------------------
UserDN Trustee Mask Trustee2 Mask3
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\administrator ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk BUILTIN\Administrators ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\DOMAINNAME01$ ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\DOMAINNAME02$ ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\Domain Admins ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\Enterprise Admins ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\Exchange Domain Servers ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\Exchange Enterprise Servers ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk NT AUTHORITY\SYSTEM ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk NT AUTHORITY\SELF ACE_MB_FULL_ACCESS|Allowed ACE_MB_READ_PERMISSIONS|Allowed
----------------------------------------------------
can anyone see any abnormalities there?
It looks about right?
No users other than the Domain admin is a member of any of those groups.
There are no inheritance entries on every object with Security Properties from the Mailbox Store right up through the ESM to the AD Users and Computers OU for the Staff that point to any groups with users in them and no specific users.
The only other thing i wondered about was the relevance of the OWA permissions?
OWA is working fine, but the icon in IIS is a bright red 'error' and the settings on M:\Company.co.uk\MBX (yeah its using the M:\) are the default 'Script Source Access' 'Read' 'Write' and 'Directory Browsing'
Any ideas on further permissions checks or tools that can delve deeper?
Cheers
Gurner
We're not sure what caused this, but obviously its a major concern, however, for the life of us we cant find where this permissions set it.
It is an SBS 2000 server with Exchange 2000 on it.
We have been through the lot that seems relevant with ADSIEdit, PFDavAdmin, and done permissions dumps with ADModify.net and various VBS scripts, but cant seem to shed any light on it all.
An ADModify.net dump resembles this on every single account
--------------------------------------------------
UserDN Trustee Mask Trustee2 Mask3
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\administrator ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk BUILTIN\Administrators ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\DOMAINNAME01$ ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\DOMAINNAME02$ ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\Domain Admins ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\Enterprise Admins ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\Exchange Domain Servers ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk DOMAINNAME\Exchange Enterprise Servers ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk NT AUTHORITY\SYSTEM ACE_MB_FULL_ACCESS|Allowed ACE_MB_DELETE_MB_STORAGE|Allowed ACE_MB_READ_PERMISSIONS|Allowed ACE_MB_CHANGE_PERMISSION|Allowed ACE_MB_TAKE_OWNERSHIP|Allowed
LDAP://CN=Accounts,OU=COMPANY-Staff,DC=COMPANY-DOMAINNAME,DC=co,DC=uk NT AUTHORITY\SELF ACE_MB_FULL_ACCESS|Allowed ACE_MB_READ_PERMISSIONS|Allowed
----------------------------------------------------
can anyone see any abnormalities there?
It looks about right?
No users other than the Domain admin is a member of any of those groups.
There are no inheritance entries on every object with Security Properties from the Mailbox Store right up through the ESM to the AD Users and Computers OU for the Staff that point to any groups with users in them and no specific users.
The only other thing i wondered about was the relevance of the OWA permissions?
OWA is working fine, but the icon in IIS is a bright red 'error' and the settings on M:\Company.co.uk\MBX (yeah its using the M:\) are the default 'Script Source Access' 'Read' 'Write' and 'Directory Browsing'
Any ideas on further permissions checks or tools that can delve deeper?
Cheers
Gurner
