Exchange - Net Admin - Outlook
Windows Mobile - Windows

Contact - Director's Blog

Exchange Server Home

Exchange Consultancy

Exchange Resources

Microsoft Exchange
Amazon Store

Basic Email Gateway Server

Company wide Contact List

Disabled User Account

Distribution Lists

DNS Configuration

Exchange and a
Dynamic IP Address

Event ID 1221

Filter Unknown Users

Global Mailbox Folder
Permissions from Server

Intelligent Message Filter

Internal Email Address
for External People

Mailbox and Management
Account

Message Tracking

Migrating to a new server

Multiple Domains

Offline Address Book Errors

Options when a Staff Member
Leaves

Outlook Web Access

PDAs, OMA and EAS

Permissions Best Practises

Post Install Configuration

Public Folders

Prerequisites for Exchange
System Tools

RPC over HTTPS

Secure your SMTP Relay

Shutdown Script

SMTP Services and Exchange

SMTP Diagnostics

Spam Cleanup

Switching From POP3
to SMTP Delivery

Telnet Test

Username Change

Exchange Server Compatibility Information Exchange Server Version Compatibility 5.5 No 2000 Yes 2003 Yes 2007 Yes

Permissions Best Practises
Author: Simon Butler, Exchange MVP, MCSE

Permissions within an Exchange server can be one of the most difficult things to manage. With some careful planning and hindsight, management can be improved, along with strengthening the overall security of the Exchange system.

Use a Group For Exchange Permissions

This procedure works throughout the Exchange organisation and can make management of administrators permissions so much easier.

Some of the areas that it can be used for include:

• Public Folder Permissions
• Mailbox Permissions

Create a mail enabled security group called "email admins" or something like that and grant membership to the people usually administrate the email system. Include the account "administrator" (ie THE domain admin) as a member of the group as well.

This is the group that you give ownership rights on all public folders. If and administrator leaves, you only need to remove their name from the distribution group rather than go through the system removing it all individually.

For Exchange 2003, go in to ESM,  Folders, Public Folders. On each folder you will need to right click and choose Properties. Click on the tab "Permissions", then the "Client Permissions" tab. Set the "email admins" group as the owner rather than individuals.
For Exchange 2007, you will need to use the Exchange Management Shell to set the Owner permission. http://technet.microsoft.com/en-us/library/bb310789.aspx

It is poor practise to grant permissions to a individual's account, unless it is for a quick change (see mailbox permissions below).

Grant permissions to groups,
Add users to groups.

More on Public Folders Permissions

There is almost no reason why the permissions on a public folder should have "Default" set to anything other than "None". Furthermore, there are very few reasons why a user should require "Owner" permissions of a folder. Owner should be restricted to the administrators of the email server and the highest rights granted should be "Publishing Editor".

More on public folder permissions in our Public Folders section.

Do not delete a former administrator's account

Another rule of thumb though is never delete a former administrator's account.

Change the password, email address etc. Possibly even remove the groups that the account was a member of, but never delete it. Disable it at most. If you then find that a previous admin has locked something down using their own account then you have access to that account which can be used to login and adjust as required.

Mailbox Permissions

Many email administrators, especially those that have come from an Exchange 5.5 server miss the service account permission. This allowed them access to all mailboxes without having to specify anything.

It is very poor practise to use an account in this way.
There are no normal circumstances when an administrator required permanent access to all users mailboxes.

As a policy, a good Exchange administrator should grant themselves "Full mailbox access" as required. Even if this means that the user needs to wait another minute while the setting is made. This permission should be granted to an individual user account.
Once the adjustment has been made, the "Full mailbox access" rights should be removed.

If you are having problems with the cache of mailbox permissions stopping access to the mailbox, then simply operate on the presumption that you do not have permissions and check, rather than try to access and find that you do not have permissions. If you always check then if you need to make the change, the permission will be read when you access for the first time after making the change and the new permission will be cached.

The policy of granting permissions as required can actually work in the administrators favour. With correct logging procedure this setting change will be logged, as will the removal. In the event of the user complaining about someone else reading email the logs can show that the administrator didn't have access at the time.

If you need to access accounts en-masse, for example to use exmerge or admodify.net then create a special account.