- In the previous article, we learned how to set mailbox access audit for delegate access and find corresponding information in the audit log. In those tests we used EMC to grant some user account Full Mailbox permission on another person’s mailbox.
- Let’s check now how we can revoke Full Access permission from a mailbox. To make this test more interesting I’ll grant Administrator user account the same Full Access mailbox permission on User2’s mailbox so there’re two user accounts – User1 and Administrator – with FA permission on User2’s mailbox:
- Let’s try to revoke FA permission on User2’ mailbox from User1 in EMC,
- …start Outlook as User1 and make sure there’s no additional (User2’s) mailbox in the left pane:
As we can see User1 does not have access to User2’s mailbox any more – exactly what we expected!
- Now let’s revoke FA permission on User2’s mailbox from Administrator user account,
- …start Outlook as Administrator and check whether User2’s mailbox has disappeared or not:Look! Administrator user account does not have any permission on User2’s mailbox; nevertheless, it still can access it!
- Now let’s look at User2 attributes in ADSI Editor:Please don’t forget to click Filter and tick “Show only attributes that have values”.
- As we can see msExchDelegateListLinkvalue is still there – after removing it Administrator user account should stop having access to User2’s mailbox.
- Let’s once again start Outlook as Administrator and see there’s no User2’ mailbox in the left pane:
In this article we found a way to circumvent the bug in EMC and remove Full Access permission from an administrative user account.