Solved

Exchange 2003

Posted on 2004-10-29
217 Views
Last Modified: 2010-08-05
I am the Exchange Administrator at my company. I am trying to find a way to view user e-mails within Exchange 2003. I have the necessay rights and have setup a group policy according to Microsofts KB article. However, I can still not view the e-mails. I can view the queues etc. but cannot access the e-mails.
0
Question by:mjgent
    7 Comments
     
    LVL 6

    Expert Comment

    by:nihlcat
    What prevents you from just 'Opening these Additional Mailboxes' under your mailbox?  Too many?
    0
     
    LVL 5

    Expert Comment

    by:idyllicsys
    Are you using Outlook? I have found the same problem before. I created separate profiles for each mailbox I needed to open. Don't ask me why, but it worked after resetting the permissions, even though I couldn't add their Exchange mailbox to my profile
    0
     
    LVL 104

    Accepted Solution

    by:
    By design you cannot open every mailbox by adjusting permissions in a central place. Microsoft have blocked access.
    The only way you can give yourself access to the mailboxes is by enabling the "Full Mailbox Access" option on each individual account.
    Once you have given yourself access then you can open them in the regular way, no additional profiles required.

    However... you are on very dodgy legal grounds. Depending on your location what you want to do could be illegal. Unless the employees have given you explict permission, either by signing something when they joined or sending you an email it could be a breach of their privacy.

    There are very rarely reasons why an adminstrator needs full access to every mailbox.
     
    I administrate a number of Exchange servers and I opperate in the same way with all of them.

    - I do not have permissions to every mailbox.
    - If I need access then I ask the user.
    - If the user asks me, then I tell them I need to access the mailbox and is that ok.
    - If a director asks then I want it in writing. Email will be fine. It must be senior management asking.
    - I then give myself rights to the mailbox.
    - After I have done what I need to do I remove rights to the mailbox.
    Plus I have auditing turned up very high so my moves are tracked. There is no way I can be accused of reading the user's email without permission.

    Simon.
    0
     
    LVL 6

    Expert Comment

    by:nihlcat
    Sembee, I am in total agreement with you on the legal implications of reading other's mail.  The last time I brought it up I almost got my face bitten off by the asker!  At my last position, security was quite lax, and I had the authority to read our EVERYONE'S mail.  It was a very uncomfortable situation, and I was happy to move on to a new job.
    0
     

    Author Comment

    by:mjgent
    While I agree with Sembee for the most part there are other ways to access user mailboxes. As many of you know we as Domain Administrators do not have default rights to do this however security groups and permissions can be configured giving us this ability. See MS KB 262054.

    Now, my reason for this post was to find a way to restore the mailstore offline should my exchange 2003 server go down. Microsoft advises that the only way to restore "all" mailboxes offline is to have certain exchange rights not given to admins by default. I gave myself these rights and then was able to gain access should I need to. I personally do not view user e-mails and do not condone unauthorized access in anyway.
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    If you are following best practises on a backup and restore then you still don't need rights to every mailbox. If you did for backup and restore then Microsoft would have put the rights in by default.

    In the event that all mailboxes need to be restored then I am restore the information store. I do not and will not do mailbox level (aka brick level) backups. They are slow, inefficient and useless in a diaster recovery scenario.
    I do not need rights to every mailbox for an information restore.

    Simon.
    0
     
    LVL 1

    Expert Comment

    by:molbrych
    All I had to do in this scenario (not for reading mail but for troubleshooting purposes at the time) was to give myself read as send as permissions access to the database then logged into individual mailboxes with Outlook 2003 (this way i show up in the logging and can defend myself from any questions).  The others are very correct IT in our shop delpends entirely upon trust if we can't trust you your gone.  You should get written approval from the president or someone high up in the cahin before proceeding.  The only reason this is set up for this server is that it is in South Africa and we are on almost oppposite schedules so much of my work for them is after they have left for the day.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

     Java Android Coding Bundle

    Whether you're an Apple user or Android addict, learning to code for the Android platform is an extremely valuable, in-demand skill. It all starts with Java, the language behind the apps and games that make Android the top platform it is today.

    When bringing a new server on line, you may see an error that says: The Security System detected an authenticaton error for the server ldap/xxxxxxxt. The failure code from the authentication protocal Kerberos was "There are currently no logon se…
    I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
    This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.

    877 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now