Exchange: Default Permissions on Exchange Organization
The following lists the default permissions on the Exchange Organization on the root of ESM. For Exchange to perform correctly the following permissions are required. Not having the correct permissions can cause issues with Recipient Update Service not running, security vulnerabilities in which unauthorized users have access to mailboxes other than their own and a variety of other issues.
1. Open ESM, right click your Exchange Org name at the root, and select properties. Select the security tab. If you do not see the security tab. Close ESM. Go to Start, Run, type Regedit. Navigate to:
Create a new DWORD. Name this ShowSecurityPage and give it a value of 1 (Decimal) Close Registry.
2. In ESM, right click your Exchange Org name at the root and select properties and click security tab.
- You should see Exchange Domain Servers for each domain that you host. This group contains Exchange servers from each domain and gives access to the Exchange Configuration container in AD. The Exchange Domain Servers should also be a member of the Exchange Enterprise Servers Domain local security group.
- Authenticated Users should have special permissions (Read Properties and List Object)
- Everyone should have Create Named Properties in Information Store, Create Public Folder, Read, Execute, Read Permissions, List Contents, Read Properties, List Object
Note: By default all Users and Groups listed should have deny set for Send As and Receive as rights except for Exchange Domain Servers.
James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
How useful was this article? Want to see a tip not listed? Please leave a comment.