Please check your microsoft exchange permissions

Of the role assignment policies in your organization, one is marked as default. The default role assignment policy is associated with new mailboxes that aren't explicitly assigned a specific role assignment policy when they're created.

The default role assignment policy should contain the permissions that should be applied to the majority of your mailboxes. Permissions are added to role assignment policies using end-user roles. End-user roles begin with My and grant permissions for users to manage only their mailbox or distribution groups they own. They can't be used to manage any other mailbox. Only end-user roles can be assigned to role assignment policies. When an end-user role is assigned to a role assignment policy, all of the mailboxes associated with that role assignment policy receive the permissions granted by the role.

This enables you to add or remove permissions to sets of users without having to configure individual mailboxes. The following figure shows:. End-user roles are assigned to role assignment policies. Role assignment policies can share the same end-user roles.

Role assignment policies are associated with mailboxes. Each mailbox can only be associated with one role assignment policy. After a mailbox is associated with a role assignment policy, the end-user roles are applied to that mailbox. The permissions granted by the roles are granted to the user of the mailbox.

As the name implies, it's the default role assignment policy. If you want to change the permissions provided by this role assignment policy, or if you want to create role assignment policies, see Work with role assignment policies later in this topic. To manage your permissions using role groups in Exchange Server, we recommend that you use the Exchange admin center EAC.

When you use the EAC to manage role groups, you can add and remove roles and members, create role groups, and copy role groups with a few clicks of your mouse. The EAC provides simple dialog boxes, such as the new role group dialog box, shown in the following figure, to perform these tasks.

If none of the role groups included with Exchange Server have the permissions you need, you can use the EAC to create a role group and add the roles that have the permissions you need. For your new role group, you'll need to:. If there's an existing role group that has some, but not all, of the permissions you need, you can copy it and then make changes to create a role group.

Copying an existing role group lets you make changes to it without affecting the original role group. As part of copying the role group, you can add a new name and description, add and remove roles to and from the new role group, and add new members.

When you create or copy a role group, you use the same dialog box that's shown in the preceding figure. Existing role groups can also be modified. You can add and remove roles from existing role groups, and add and remove members from it at the same time, using an EAC dialog box similar to the one in the preceding figure.

By adding and removing roles to and from role groups, you turn on and off administrative features for members of that role group. Although you can change which roles are assigned to built-in role groups, we recommend that you copy built-in role groups, modify the role group copy, and then add members to the role group copy.

To manage the permissions that you grant end users to manage their own mailbox in Exchange Server, we recommend that you use the EAC. When you use the EAC to manage end-user permissions, you can add roles, remove roles, and create role assignment policies with a few clicks of your mouse. The EAC provides simple dialog boxes, such as the role assignment policy dialog box, shown in the following figure, to perform these tasks.

This role assignment policy enables users whose mailboxes are associated with it to do the following:. View and modify basic mailbox settings on their own mailbox, such as Inbox rules, spelling behavior, junk mail settings, and Microsoft ActiveSync devices. Modify their contact information, such as work address and phone number, mobile phone number, and pager number.

If you want to add or remove permissions from the Default Role Assignment Policy or any other role assignment policy, you can use the EAC. When you open the role assignment policy in the EAC, select the check box next to the roles you want to assign to it or clear the check box next to the roles you want to remove. The change you make to the role assignment policy is applied to every mailbox associated with it.

If you want to assign different end-user permissions to the various types of users in your organization, you can create role assignment policies. You can specify a new name for the role assignment policy, and then select the roles you want to assign to the role assignment policy. After you create a role assignment policy, you can associate it with mailboxes using the EAC.

If you want to change which role assignment policy is the default, you needs to use the Exchange Management Shell. When you change the default role assignment policy, any mailboxes that are created will be associated with the new default role assignment policy if one wasn't explicitly specified. I removed those. However it does not have special permissions. Can I get a list of which special permissions it should have?

Authenticated users had the same setup at Everyone so I removed the extra. However this one DID have the special permissions. Same problem here. The situation is exactly the same, except we don't have "everyone" listed in the full access control, in the EMC. We only have "Authenticated users" - but for all the remaining details, the problem looks the same.

Mailbox is not accessible to user if "Authenticated users" is removed from full access control list. Tried creating a different OU, or removing inherited access permissions from mailbox manually, this didn't help either.

Make sure everyone and auth users do not have receive as rights on the org level all the way down to the database level. I just gave someone access to an employee who just retired but i believe that user is just curious and start putting in names by switching to other mailboxes.

The user approached me advising that he can almost see everyone's email. I followed above instructions and it worked after couple minutes i believe the changes will take a while to propagate to all the network account. I opened up a ticket just last friday with microsoft using my access id code through msdn but i guess i do not need that anymore hoping that i did not break anything by doing this. But i checked by creating dummy account and it does work.

Office Office Exchange Server. Not an IT pro? Windows Client. Sign in. United States English. Ask a question. Quick access. Search related threads. Remove From My Forums. Asked by:. Archived Forums. I did some research and found a promising article about Exchange permissions.

Telling me to check a box to Allow inheritable permissions for the user on the Exchange Server AD object. One part I'm a little unsure of is the certificates. We use a wildcard SSL cert on the server. The active sync virtual directory is set to require ssl..

But I turned that off and unchecked require SSL in the phone settings.. Do I need to install the SSL cert on the phone? Friday, December 17, PM. Ah, Android and ActiveSync - an endless source of entertainment for the Exchange admin. Marked as answer by spex5 Monday, December 20, PM. Saturday, December 18, AM. There are no policies or password setting enabled in the active sync settings on the Exchange server an active sync test in testexchangeconnectivity.

It seems clear that I have active sync configured properly and that the problem is with Android. I broke down and downloaded touchdown and it works perfectly so far. Monday, December 20, PM. I have an Exchange and we are using Android 2. It worked for me. I have a coexistence environment with Monday, June 6, PM.