SOLUTION:Exchange 2010 default Recipient Management group can grant Full Access mailbox permission on all Exchange 2010 mailboxes.

                                                              Updated on 22 Feb 2013

Problem:

Exchange 2010 default Recipient Management universal security group (USG) (it is a Exchange 2010 Role group also) can grant Full Access mailbox permission on all Exchange 2010 mailboxes.

Tested on Exchange 2010 in mixed Exchange organization,  Windows 2008 R2. See important note in more information section.

Symptoms:

You added account operators to Recipient Management USG group, so that they can create mailboxes. Recipient Management group is created during Exchange 2010 setup and also it is a role group in Exchange 2010 RBAC model.

But you discovered that account operators can also grant full access mailbox permissions to any user (including her/himself) on mailboxes too. Which is not what you want and it can be a serious issue in IT Audits.

Cause:

By default Recipient Management USG (role group) has permission to run Add-MailboxPermission and Add-MailboxFolder Permission Exchange 2010 Management Shell command. More detailed: Mail Recipient  role (which contains Add-MailboxPermission and Add-MailboxFolder Permission command) is in Recipient Management role group  (USG). Therefore members of Recipient Management universal security group can successfully run these commands.

Resolution:

Make a copy of default Mail Recipients management role, then remove Add-MailboxPermission, Add-MailboxFolder Permission commands from the copied role and assign it to a new role group. And remove operators from default Recipient Management USG and add them to custom Recipient Management NoAddMbxPermission USG

You can do it with Exchange Shell command or RBAC Editor tool that has a nice gui.

Option 1: Using Exchange Shell:

1- Copy a new management role Mail Recipients NoAddMbxPermission from default Mail Recipients by inheriting

New-ManagementRole -Name “Mail Recipients NoAddMbxPermission” -Parent “Mail Recipients”

2- Remove  Add-MailboxPermission, Add-MailboxFolder commands from Mail Recipients NoAddMbxPermission role

Get-ManagementRoleEntry  “Mail Recipients NoAddMbxPermission\Add-MailboxPermission” |Remove-ManagementRoleEntry

Get-ManagementRoleEntry  “Mail Recipients NoAddMbxPermission\Add-MailboxFolderPermission”|Remove-ManagementRoleEntry

3- Create a new role group Recipient Management NoAddMbxPermission with same set of roles but don’t add default role  Mail Recipients. Add custom Mail Recipients NoAddMbxPermission role instead.

New-RoleGroup –Name “Recipient Management NoAddMbxPermission” –Roles “Distribution Groups”, ”Mail Enabled Public Folders”, ”Mail Recipient Creation”, ”Migration”, ”Message Tracking”, ”Move Mailboxes”, ”Recipient Policies”, ”Mail Recipients NoAddMbxPermission” –Description “Same permissions e2k10 Recipient Management except Add-MailboxPermission and Add-MailboxFolderPermission”

When you run this command you actually created a universal security group  Recipient Management NoAddMbxPermission  in Active Directory.

4- Remove Account Operators from default USG Recipient Management. Add them to custom USG Recipient Management NoAddMbxPermission using Active Directory Users and Computers console.

Operator needs to log off and logon in order to group membership be effected.

Option 2 Using RBAC editor:

A great tool for editing RBAC  coded by my friend Can Dedeoğlu. Download it from here:  http://rbac.codeplex.com/

1- Extract files in the zip to a folder and run  RBAC_Manager.exe, connect active directory.

2- Right click default role Mail Recipients New Role from here. Name it Mail Recipients NoAddMbxPermission

 Fa1        Fa2

3- Clear the check boxes for  Add-Mailbox permission and add-MailboxFolderPermission commands

4- Click SAVE button above.

Fa3   Fa4

5- To create a new Role group click green button

Fa5

6- On ROLE GROUPS right-click and select new Role Group

 Fa6

7- Type name Recipient Management NoAddMbxPermission. Select management roles for the new role group mentioned in option 1 that is:  (don’t add default role  Mail Recipients, add custom role Mail Recipients NoAddMbxPermission)

“Distribution Groups”, ”Mail Enabled Public Folders”, ”Mail Recipient Creation”, ”Migration”, ”Message Tracking”, ”Move Mailboxes”, ”Recipient Policies”, ”Mail Recipients NoAddMbxPermission

Fa7

8-  Right click  Mail Recipients NoAddMbxPermission role select New Role Assignment

 Fa8

 

9- Assign it to USG Recipient Management NoAddMbxPermission USG . Click OK. You may need to refresh RBAC editor by cliccking somewhere else and click again.

Fa9

10- Again,  Remove Account Operators from default USG Recipient Management using ADUC. Add them to custom USG Recipient Management NoAddMbxPermission using Active Directory Users and Computers console. Operator needs to logoff and logon in order to group membership be effected.

If the operator try to grand full access using Exchange 2010 console the she/he gets the following error:

Fa11

(Which is expected because add-MailboxPermission command does not exist for the operator. (this not an access denied error!). Also if operator tries to run the command from exchange shell the off course she/he gets the same error. Tab key does not complete the command either etc..)

 

More Information:

Important Note: If Exchange organization is mixed, that is contains Exchange 2007 or  Exchange 2003, you must also to configure granting full mailbox access permission in AD for exchange 2007 and Exchange 2003 mailboxes. This blog is only for mailboxes on Exchange 2010.

Exchange 2010 RBAC Editor Download:

http://rbac.codeplex.com/

Advertisements
Gallery | This entry was posted in Exchange Server and tagged , , . Bookmark the permalink.

2 Responses to SOLUTION:Exchange 2010 default Recipient Management group can grant Full Access mailbox permission on all Exchange 2010 mailboxes.

  1. Rob Walden says:

    This tool is the greatest thing since sliced butter! I needed to create a Help Desk role group and spent tons of time using the shell. I couldn’t really use the GUI in EMC b/c you can’t work with parameters in there. Even though I like working in the shell the commands for RBAC get really long and cumbersome. When you need to search all cmdlets for parameters and/or role groups for their associated cmdlets, it gets really hard to keep up with what’s what. This tool has blown me away with how easy it makes it. You can search from Role Groups, to Role Assignments, down to the parameters very easily and then simple use the check boxes to enable/disable whatever. And of course you can simply right click and create new Role Groups.

    The author of this tool deserves a medal. My only complaint is that I wish I could re-size the window to where I can see more of the cmdlets and parameters and less of the Role Assignments. Otherwise; this thing rocks!!!

    • Refik Ünver says:

      So developer Can Dedeoğlu deserves the medal. I completely agree your comments on power shell. Most of the times we configure sensitive things: in terms of security (the case in this blog) or any operational configuration. Also GUI helps to see misconfiguration. Many times you just take a look at to system console and see what is wrong. (a small check may lead to a big security issue for example) But in power shell, it is impossible. No one had time learn long long commands (especially in case of a serious problem) in this visual era where everthing is visual!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s