William, I have found there are quite a few inherited permissions, but I still can't figure out where they come from. Here is what is on the mailbox now:
Domain\administrator - read (inherited) domain\domain admins - delete,read,change,take ownership,full (all inherited) domain\enterprise admins- delete,read,change,take ownership,full (all inherited) Everyone - read (inherited) Exchange Domain Servers - delete,read,change,take ownership,full (all inherited) Exchange Service Account - delete,read,change,take ownership,full (all inherited) Exchange Services - delete,read,change,take ownership,full (all inherited) Self - Delete, full, Associated external account (not inherited) The test user I am trying to give access to is not a member of any of the above groups except of course everyone, but he can get access if I add him to the list with full permissions. When I put the test group in and give it full permissions (and of course he is a member of that test group) it doesn't work, even after waiting and forcing an AD replication to be sure his group membership is being evaluated. 1) Do you see anything in this ACL that would be affecting this? 2) Where the hell are all the inherited permissions coming from, I can't find a higher level in the hierarchy to modify them (in the AD or the server manager)? 3) That Everyone - read permission makes me nervous, but it was there by default on all mailboxes, and again I don't know where it is being inherited from to remove it. I have checked around on a few regular user accounts and noone can access each others mailbox so it would seem it doesn't work anyway, but it still makes me nervous. Thanks for your help. Brad -----Original Message----- From: William Lefkovics [mailto:[EMAIL PROTECTED]] Sent: Monday, July 15, 2002 2:27 PM To: MS-Exchange Admin Issues Subject: RE: Permissions In E2k It should work for groups, too: http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q268754 Are they inheriting any other perms preventing it? -----Original Message----- From: Brad Metzler [mailto:[EMAIL PROTECTED]] Sent: Monday, July 15, 2002 2:01 PM To: MS-Exchange Admin Issues Subject: Permissions In E2k I'm still trying to figure out exactly how permissions work in E2k, but one behavior I have discovered is a pain the ass and I'm hoping someone can confirm this is what is supposed to be happening. If I open a user in the Active Directory users and computer and in mailbox permissions give access to a particular active directory user (full mailbox access), then that user can open the mailbox. duh. If however I create a group (I've tried domain local and global) and give that group full mailbox access and add a user to that group, that user is unable to open the mailbox. Am I to assume that you can only give mailbox rights to individual users and not to groups? Am I'm setting the permissions in the wrong place? Brad List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm