Mailbox inherited permissions

Question

Mailbox inherited permissions

Hi!
Some time ago our exchange administrator quit. His account was disabled and removed from all AD security groups.
But now if I do Get-MailboxPermissions cmdlet against any mailbox (old one or created after our administrator quit), I can see this:
Пользовательское изображение

This user has FullAccess permission for any mailboxes. And judging by the screenshot, these rights are inherited from somewhere.
My question is: how can I find from where this permissions are inherited, or how can prevent granting this permissions on newly created mailboxes?

Комментариев: 0

Ответ, принятый автором вопроса

Дополнительные ответы: 0

Ваш ответ

Answer 1

Vergil-V 12,785 Внешний персонал Microsoft Модератор

Hi Евгений Котляревский
Thanks for reaching out to the Microsoft Q&A forum.

Based on your inquiry, I understand that you're looking to identify the source of inherited permissions.

Based on my research, your assumption is correct. The admin user may still be inheriting permissions from other Active Directory groups such as Administrators or Domain Admins. undefined To investigate further, I recommend using the Get-ADPrincipalGroupMembership PowerShell cmdlet. This command can help identify whether the admin account is still a member of any AD groups that might be contributing to inherited permissions.

As moderators of this forum, we unfortunately do not have access to a dedicated testing environment to replicate every scenario. However, your feedback and updates are incredibly valuable. If you’re able to share the results after running Get-ADPrincipalGroupMembership, it would help us better understand your situation and refine our guidance.

Please know that while our initial response may not have resolved the issue immediately, we are committed to working with you to find the best solution. Your input plays a crucial role in that process.

Thank you again for your understanding and collaboration.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Евгений Котляревский 61 Баллы репутации

2025-08-27T07:34:37.3566667+00:00

Hi!
Thanks for you answer!
I ran Get-ADPrincipalGroupMembership against account. The only groups user belongs - is "domain users". As I wrote in start message I have remove user from all domain groups. So group membership isn't the reason I suppose.
What can I check else?
Vergil-V 12,785 Баллы репутации Внешний персонал Microsoft Модератор

2025-08-27T10:02:39.8966667+00:00

Hi @Евгений Котляревский
Thank you for your update, and I appreciate your continued efforts in investigating the issue.

Based on further research, you might consider using the ADSI Edit tool to explore permissions in more detail. According to insights shared by other community members, it's possible to audit permissions by navigating through the following path in ADSI Edit: Configuration > Services > Microsoft Exchange > Domain > Administrative Groups > Databases

Please proceed with caution when using ADSI Edit, as it directly interacts with Active Directory. Make sure to back up your environment before making any changes to avoid unintended consequences.

If you have any new findings or need further assistance, please don’t hesitate to reach out. I’m here to help however I can.
Евгений Котляревский 61 Баллы репутации

2025-08-28T09:45:49.07+00:00
Hi!
I've looked into ADSI to "Configuration > Services > Microsoft Exchange > Domain > Administrative Groups > Databases" and yes, I've found that that our fired administrator has rights to it:

I started to climb higher up the tree and found the source of rights - Configuration > Services > Microsoft Exchange:

And now there is two questions:

Was this permissions added manually or it is some default thing?

Is it safe to remove this permissions? In my opinion, nothing terrible should happen. But you never know
Vergil-V 12,785 Баллы репутации Внешний персонал Microsoft Модератор

2025-08-29T08:19:46.9533333+00:00

Hi @Евгений Котляревский
Thank you for your continued engagement.
From my research, if the admin account was initially used during the setup of Exchange Server, it would typically be granted permissions automatically.

As mentioned earlier, it's not recommended to modify settings using ADSI Edit without a proper backup, due to the potential risks involved. That said, I came across a PowerShell cmdlet that may help: Remove-ADPermission, this can be used to remove specific permissions. When using this command, you can specify the Distinguished Name (DN) path to target the appropriate object.

I hope this information helps you move forward in finding a solution.

If your issue has been addressed, please consider marking any helpful responses as Accepted Answers. This helps others in the community find useful guidance more easily and keeps the conversation productive for everyone.

Thanks again for your time, and feel free to reach out if you have any further questions or updates.
Евгений Котляревский 61 Баллы репутации

2025-08-29T20:35:12.7533333+00:00

Thank you, @Vergil-V !
I have removed founded permission from "Configuration > Services > Microsoft Exchange:" And after that permissions gone from all mailboxes, as I want.
Thank you for your help!
Vergil-V 12,785 Баллы репутации Внешний персонал Microsoft Модератор

2025-09-01T10:02:45.0033333+00:00

Hi @Евгений Котляревский
Thank you for your update.
I'm glad to hear that my response was helpful to you.
If you found my initial response helpful and it provided the insight you were looking for, please consider marking it as the “Accepted Answer”.
This helps others in the community who may be facing a similar issue to find a solution more easily.
Thanks again for your time

Поделиться через

Mailbox inherited permissions

Дополнительные ответы: 0

Ваш ответ