[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 327
  • Last Modified:

Domain Administrators open other Exchange Mailboxes

I'm running Microsoft Exchange Server 2003; Currently, I have several user accounts which are part of the 'Domain Administrators' group, and many more accounts which are 'Domain Users'.

Domain Admins are able to open MS Outlook 2003 on their desktop, and go to FILE -> OPEN -> OTHER USER'S FOLDER and then open any other user's mailbox and view all of their mail.

Domain Users are not able to open any other mailbox besides their own.

I believe it is possible to also limit Domain Admins in the same way, but how?

I've spent many hours already looking for the exact fix, but I have not found a solution yet which matches my situation.

Thanx in advance for your help!
0
mlcurry
Asked:
mlcurry
1 Solution
 
DhammikaWeeCommented:
Hi,

       In Exchange 2003 by default the full mail box permissions are not given to enterprise admins or domain admins, but in your case it seems they are given the access. You can remove those access rights to domain admin group from Exchange Manager.

Open Exchange manager > Administrative group > "First Administrative Group" ( or name of the administrative group) > "server" > "first storage group" (or storage group name) > Mail box store

right click on the Mailbox Store and goto properties
in Security tab
u can allow or deny access to the all mail boxes within that store.

So what u can do is create a different security group for deny full control for mail boxes and add all the admins to that group
then add that group to the security tab of the Mailbox store and deny full controll to the store that will solve the problem.

be carefull do not let those ppl to log in to the mail server then they can change the permissions as they are Administrators.

0
 
bilbusCommented:
on exchange 2003 domain admins by default are not permited to open other ppl's mailboxes. In exchange 5.5 they could.

sounds like somone set that up

http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm

read that and undo it
0
 
DhammikaWeeCommented:
yeah I read that too just to confirm about what default rights are.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
mlcurryAuthor Commented:
thanx for the quick responses; i haven't had a chance to look into the suggestions yet, but i will as soon as i have a chance. I've not abandoned this question!
0
 
bilbusCommented:
How come i did not get a points split?
0
 
redseatechnologiesCommented:
Hi bilbus,

You didnt provide any more useful information than DhammikaWee - they had a complete set of instructions posted to achieve the desired result.

Yes the link was accurate, and also provided a solution, but DhammikaWee got in first, with a perfectly correct answer.


In future, it is far better to object to a recommendation BEFORE the moderators have closed the question.

-red
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now