Exchange 2013 Inherited Permission for Every MailboxRecently I found out that my individual account was given FULLACCESS permission on every mailbox in Exchange. What was strange was that the permissions were INHERITED and had a DENY=TRUE on them.
How in the world did that happen? Also, how do I fix it?
I traced it back to permissions in AD on the Exchange Service:
dsacls "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-name,DC=tld"
Also it was here:
dsacls "CN=COMPANY-NAME,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-name,DC=tld"
So it must have happened durning an Exchange CU upgrade. More specifically during the Prepare Active Directory schema:
setup.exe /PrepareSchema
setup.exe /PrepareAD
To remove:
dsacls "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-name,DC=tld" /R DOMAIN\Account
Or you can open ADSI > CONFIGURATION > SERVICES > MICROSOFT-EXCHANGE
- -rigth-click > PROPERTIES
- -click SECURITY tab (at the top).
If needed, you can look further down:
ADSI > CONFIGURATION > SERVICES > MICROSOFT-EXCHANGE > COMPANY-NAME > ADMINISTRATIVE-GROUPS > EXCHANGE-ADMINISTRATIVE-GROUP > SERVERS > SERVER-NAME
- -right-click > PROPERTIES
- -click SECURITY tab (at the top).
- -click ADVANCED
Look for the account and it will show where the inheritance is coming from.