Permissions Best Practises
Permissions within an Exchange server deployment can be one of the most difficult things to manage. With some careful planning and hindsight, management can be improved, along with strengthening the overall security of the Exchange system.
Use a Group For Exchange Permissions
This procedure works throughout the Exchange organisation and can make management of administrators permissions so much easier.
Some of the areas that it can be used for include:
- Public Folder Permissions
- Mailbox Permissions
Create a mail enabled security group called "email admins" or something like that and grant membership to the people usually administrate the email system. Include the account "administrator" (ie THE domain admin) as a member of the group as well.
This is the group that you give ownership rights on all public folders. If and administrator leaves, you only need to remove their name from the distribution group rather than go through the system removing it all individually.
For Exchange 2003, go in to ESM, Folders, Public Folders. On each folder you will need to right click and choose Properties. Click on the tab "Permissions", then the "Client Permissions" tab. Set the "email admins" group as the owner rather than individuals.
It is poor practise to grant permissions to a individual's account, unless it is for a quick change (see mailbox permissions below).
Grant permissions to groups,
Add users to groups.
More on Public Folders Permissions
There is almost no reason why the permissions on a public folder should have "Default" set to anything other than "None". Furthermore, there are very few reasons why a user should require "Owner" permissions of a folder. Owner should be restricted to the administrators of the email server and the highest rights granted should be "Publishing Editor".
More on public folder permissions in our Public Folders section.
Do not delete a former administrator's account
Another rule of thumb though is never delete a former administrator's account.
Change the password, email address etc. Possibly even remove the groups that the account was a member of, but never delete it. Disable it at most. If you then find that a previous admin has locked something down using their own account then you have access to that account which can be used to login and adjust as required.
Many email administrators, especially those that have come from an Exchange 5.5 server miss the service account permission. This allowed them access to all mailboxes without having to specify anything.
It is very poor practise to use an account in this way.
There are no normal circumstances when an administrator required permanent access to all users mailboxes.
As a policy, a good Exchange administrator should grant themselves "Full mailbox access" as required. Even if this means that the user needs to wait another minute while the setting is made. This permission should be granted to an individual user account.
Once the adjustment has been made, the "Full mailbox access" rights should be removed.
If you are having problems with the cache of mailbox permissions stopping access to the mailbox, then simply operate on the presumption that you do not have permissions and check, rather than try to access and find that you do not have permissions. If you always check then if you need to make the change, the permission will be read when you access for the first time after making the change and the new permission will be cached.
The policy of granting permissions as required can actually work in the administrators favour. With correct logging procedure this setting change will be logged, as will the removal. In the event of the user complaining about someone else reading email the logs can show that the administrator didn't have access at the time.