Lanwench
Mon Aug 22 13:20:45 CDT 2005
In news:93C701FB-456B-480C-92B3-03830E5BB6F9@microsoft.com,
George <George@discussions.microsoft.com> typed:
> Hi,
>
> We have Exchange2003 server and all domain admins are able to open any
> mailbox without making any permissions changes. How can I restrict
> their access so that they can't just open any mailbox they feel like.
> I have setup host monitor to alert me if they access any foreign
> mailbox, but what should I change in exchange - they have access to
> any mailbox.
> I have addedd the registry key to see the security key in ESM, but
> when I look at the domain admins everything is greyed out, but they
> have full permissions. Where should I be looking?
>
> Thanks
Someone has changed this - it doesn't happen out of the box. In E2000/2003,
only the mailbox owner can access a mailbox. In addition in E20003, members
of certain admin groups have an explicit Deny set on doing so.
It isn't a registry entry you're looking for - it's the permissions set on
either the mail store, individual mailbox, server, or root. What is the
business justification for them (or someone) having made this change to
begin with? The first place to start is by asking management what they want
people to have access to, as there is no way you can block someone with full
rights from changing this back afterwards. Are these people who really need
domain admin rights? What exactly is it they need to do? Really, most admins
should not have full domain admin access, but have delegated privileges to
do their actual work - and the password for the build-in domain admin
credentials should be closely guarded.
http://support.microsoft.com/default.aspx?scid=kb;en-us;821897 explains how
to grant access, so it may be useful in determining how to revoke it. But
the paragraph above is important.
Hire only admins you can trust.