http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm
How do I grant the
administrator(s) (or any other user) full
mailbox right on Exchange 2000/2003 mailboxes?
In Microsoft
Exchange Server 5.5, when you grant Service
Account Admin privileges on the Site container
to a Microsoft Windows account, you grant that
account unrestricted access to all mailboxes.
Because Exchange 2000 and Exchange Server 2003
do not use a service account, even accounts with
Enterprise Administrators rights are denied
rights to access all mailboxes, by default.
Daniel Petri's Exchange Server Recommendations |
rodID=86"> |
By the way, if you are looking to really master
rodID=86">Exchange Server 2007 I strongly recommend the training videos at
rodID=86">Train Signal.
I receive hundreds of emails a month asking for my "recommendation for
IT training" and I like to send people their way because the training
is so good. I have used and reviewed A LOT of training products over
the years and none of them come close to matching the quality or amount
of detail found in Train Signal's courses. Read more (and watch a
demo!) on their
rodID=86">Exchange Server 2007 Training.
Daniel Petri |
This means that Exchange
Full Administrators do not have the right to open any mailbox found on
any server within the Exchange organization.
In fact, if your logon
account is the Administrator account or is a
member of the Domain Admins or Enterprise Admins
groups, then you are explicitly denied access to
all mailboxes other than your own, even if you
otherwise have full administrative rights over
the Exchange system.
However, unlike Exchange
Server 5.5, all Exchange 2000/2003
administrative tasks can be performed without
having to grant an administrator sufficient
rights to read other people's mail.
This default
restriction can be overridden in several ways,
but doing so should be in accordance with your
organization's security and privacy policies. In
most cases, using these methods is appropriate
only in a recovery server environment.
Granting right to a
specific mailbox
Use the following procedure to
grant access to an Exchange 2000 or an Exchange
2003 mailbox:
Note: You must have the
appropriate Exchange administrative permissions
to do so.
- Start Active Directory
Users and Computers.
- On the View menu, ensure
that the Advanced Features check box is
selected.
Note: This is not
necessary on Exchange Server 2003 because of
the fact that the Exchange Advanced tab is
exposed by default.
- Right-click the
user whose mailbox you want to give
permissions to and choose Properties.
- On the Exchange Advanced
tab, click Mailbox Rights.
- Notice that the Domain
Admins and Enterprise Admins have both been
given Deny access to Full Mailbox access.
- Click Add, click the user
or group who you want to have access to this
mailbox, and then click OK.
- Be sure that the user or
group is selected in the Name box.
- In the Permissions list,
click Allow next to Full Mailbox Access, and
then click OK.
- Click Ok all the way out.
Warning: If the Group
or User name list is empty and you only see one
line with the name of SELF - do NOT touch
the permission settings before you read
SELF Permission on Exchange Mailboxes.
= Bad!
= Good
Note: If
the purpose of granting such access is to permit
use of the EXMERGE utility (see
Delete Messages from Mailboxes by using EXMERGE
for an example of such a requirement), grant
Receive As permissions. You can also grant Full
Control permissions if you want complete access.
Granting right to a
mailboxes located within a specific mailbox
store
Use the following procedure to
grant access to Exchange 2000 or an Exchange
2003 mailboxes found on a specific mailbox
store:
Note: You must have the
appropriate Exchange administrative permissions
to do so.
- Start Exchange System
Manager.
- Drill down to your server
object within the appropriate Administrative
Group. Expand the server object and find the
required mailbox store within the
appropriate Storage Group. Right-click it
and choose Properties.
- In the Properties window
go to the Security tab.
- Click Add, click the user
or group who you want to have access to the
mailboxes, and then click OK.
- Be sure that the user or
group is selected in the Name box.
- In the Permissions list,
click Allow next to Full Control, and then
click OK.
Note: Make sure
there is no Deny checkbox selected next to
the Send As and Receive As permissions.
- Click Ok all the way out.
Granting right to a
mailboxes located on a specific server
Use the following procedure to
grant access to Exchange 2000 or an Exchange
2003 mailboxes found on a specific server:
Note: You must have the
appropriate Exchange administrative permissions
to do so.
- Start Exchange System
Manager.
- Drill down to your server
object within the appropriate Administrative
Group. Right-click it and choose Properties.
- In the Properties window
go to the Security tab.
- Click Add, click the user
or group who you want to have access to the
mailboxes, and then click OK.
- Be sure that the user or
group is selected in the Name box.
- In the Permissions list,
click Allow next to Full Control, and then
click OK.
Note: Make sure
there is no Deny checkbox selected next to
the Send As and Receive As permissions.
- Click Ok all the way out.
Note: It might take
some time before the changes you've made will
take effect. The amount of time needed is
influenced by the number of domain controllers,
Global Catalogs and site replication schedules
and intervals. On one domain with one site
containing multiple domain controllers it might
take up to 15 minutes before you can begin using
these new permissions. On single servers that
are also DCs you can speed up the process by
restarting the Information Store service.
Related articles
You might also want to read the
following related articles:
Links
XADM: How to Get Service Account Access to All
Mailboxes in Exchange 2000 - 262054
How to Assign Users or Groups Full Access to
Other User Mailboxes - 268754