Exchange Server

SELF Permission on Exchange Mailboxes

Why is the SELF permission the only permission seen on the Mailbox Rights properties on Exchange 2000/2003 mailboxes?

MS KB 272153 has more info:

In Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003, when you create new mailbox-enabled accounts in Active Directory, they do not have inherited mailbox rights. The only object that is granted permission is Self, which is granted full mailbox access and read rights.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

To view mailbox rights, follow these steps:

  1. In Active Directory Users and Computers, click Advanced Features on the View menu.

Note: This is not necessary on Exchange Server 2003 because of the fact that the Exchange Advanced tab is exposed by default.

  1. Under Active Directory Users and Computers, click the account, click the Exchange Advanced tab, and then click Mailbox Rights.
  2. The rights are displayed in the Permissions for account name dialog box.

= Bad!

This behavior occurs because the mailbox security descriptor is not read from the Active Directory account object until the user logs on or gets mail. The Recipient Update Service (RUS) does not stamp the inherited permissions when the mailbox is created. After the mailbox is created in the store, the store calculates inherited mailbox rights.

To resolve this behavior perform one of the following actions:

  • Log on to the mailbox you’ve created. You can do so by opening an Outlook profile for the new user and running Outlook, or by opening a OWA session the the destination mailbox by typing http://servername/exchange/username in the address bar of your browser.

Note: Opening Outlook requires you to be logged on as the destination user, while OWA does not require you to be logged on as the user. However, both methods require that you know the destination user’s password.

  • Send a message to the mailbox.

Note: The second method is quicker and easier to perform, that’s why you’ll need to know how to Send Mail from Script and to Test SMTP Service in IIS and Exchange.

When the mailbox is created in the store, the store itself calculates the inherited permissions and stamps them on the store’s copy of the mailbox security descriptor.

= Good


Mailbox Rights for New Users Shows Only Self – 272153


Related Topics:

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: