Reviewing the Full Access permissions on a mailbox using Exchange Management Console (EMC) does not show you the whole picture. Example – EMC shows no permissions for the account Domain\administrator on Joe Bloggs' mailbox, but the Get-Mailbox cmdlet tells a different story:
[PS] C:\Powershell>Get-Mailbox -Identity "Joe Bloggs" | Get-MailboxPermission | Where { $_.User.ToString() -eq "Domain\administrator"}
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
Domain.local/Users... Domain\administrator {FullAccess} False True
Domain.local/Users... Domain\administrator {FullAccess} False False
Domain.local/Users... Domain\administrator {FullAccess} True True
Domain.local/Users... Domain\administrator {FullAccess, DeleteItem, ReadPermiss... True False
I presume I can manage the non-inherited permissions with Add-MailboxPermission and Remove-MailboxPermission, but where are inherited permission set and how are they managed?
The mailbox in question is in the domain's Users container. I've reviewed the security on both the domain and the Users container using ADSIedit and can see no Deny permissions that apply to Domain\administrator account.
Exchange 2007 (08.03.0083.000)
Best Answer
Are you asking WHY you see the domain's Administrator account with a DENY on the mailbox? Or where the inherited rights came from?
Certain groups in AD get a hard DENY set by default on Exchange 2007 along with a lot of other "inherited" permissions that are setup by Exchange.
You can read up here for full details: http://technet.microsoft.com/en-us/library/bb310770%28v=exchg.80%29.aspx
and a brief summary here:
http://technet.microsoft.com/en-us/library/bb310792%28v=exchg.80%29.aspx
Remember as well (read the first link) that a LOT of Exchange permissions/ACLs are set in the Configuration context in the AD schema.