• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 412
  • Last Modified:

Can Administrators read email from other user accounts on Exchange 2000?

I am doing research for a fellow Admin buddy of mine, and he asked me if Administrators can snoop through other user's email on their network. I told him I would do some research, and thus have come to all of you Experts out there. Is this possible? If so, how can it be stopped, etc?

Thanks in advance!

basc
0
basc
Asked:
basc
  • 2
  • 2
  • 2
  • +1
1 Solution
 
brakk0Commented:
by default, members of the administrators group are specifically denied to access other mailboxes. But, as an administrator it is possible to remove this restriction or create a non admin account that can access other mailboxes.

You can't stop an administrator from doing anything (that's why they are an administrator) but if they are getting into others mailboxes, you know it wasn't by accident. They had to go to a lot of effort to do it.
0
 
bascAuthor Commented:
Will there be any log of it anywhere?
0
 
brakk0Commented:
You can look in the mailbox store to see the last person to connect to a mailbox.

you can probably do more with exchange logging, but I've never tried it before.

http://www.msexchange.org/tutorials/Diagnostics-Logging.html
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
bascAuthor Commented:
brakk0, your answer seems to be sufficient. I am going to keep this open for another day to elicit more comments. Thanks!
0
 
SembeeCommented:
It can't be done by default, but I see a large number of sites with the settings made so that it is possible.
I personally operate high standards in my Exchange orgs, and insist that administrators grant themselves rights on an "as required" basis, and use their account. The logging is turned up high enough to record the change. When they are done, the account is set back.

Any accounts that do need wide scale changes, such as an account for Blackberry, has a special account, with limited permissions, a strong password and the password is locked away.
The administrator account isn't used for anything other than server work.

This is how the settings change is usually done: http://support.microsoft.com/default.aspx?kbid=262054
There are other ways, such as using something like admodify.net to modify each account, but any administrator who is too lazy to set the permissions on each as required would probably use the service account trick.

My usual justification for not having the wide access is accountability. If everyone can access the accounts, in the event something goes wrong, all of your administrators could be under suspicion. If you have access at the time, then you could be accused of making the change, deleting the content etc. If the permission wasn't available at the time - and the logs prove it, then you are fine.

Simon.
0
 
SilentezCommented:
Not so easy, guys... :)
As Administrator, you can just attach Exchange DB as virtual disk drive and access all mails as simple .eml files. :) So, anyone won't see anything in such log as "last person connect" :)
0
 
SilentezCommented:
How to create mapped virtual dirve from Exchange DB - http://support.microsoft.com/kb/821836
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now