MS Exchange Server and E-mail security

A question about e-mail security.  Is the only way to view someone's exchange account from an admin perspective to change the password?  Is it possible for some users to get password notifications and others not.  Can you force a user to change their password the next time they log in?

Just asking because I think something is happening that shouldn't and I am not versed in Active Directory or exchange.

D
dialdnAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lamaslanyCommented:
"Is the only way to view someone's exchange account from an admin perspective to change the password?"
No.  An admin can give themselves full access to the mailbox and open it using their own credentials (via Outlook and OWA)

"Is it possible for some users to get password notifications and others not."
Not sure what you are referring to here.

"Can you force a user to change their password the next time they log in?"
Yes.  Using the ADU&C snap-in you can open the properties of a user within AD, click on the Account tab and tick "User must change password at next logon"

With that question in mind I'll go back to your second question.  A user will see the request to change their password when they log into a desktop session - if they access via OWA they will not see such a request (I think - I certainly don't remember it).
0
dialdnAuthor Commented:
Ok, here is the situation.  A group of us use exchange via Outlook.  We all get notices saying "you have x days" to change your password.  Except one user who does not get the reminders.  All of sudden they are requested to change their password (it's happened twice in a row and not before that).  The action seems suspect and may be an attempt at snooping by IS staff but not sure??
0
isaman07Commented:
Well, the passwords can be changed by an administrator through Active directory users and computers by right clicking on the username and choosing change password.
If you want a user to change the password the next time they login, change their password as admin as mentioned above and check the option that says user must change password at next  logon.
Yes it possible that some users get notifications and some others don't, only if users are members of different organizational units and there are different password policies applied on each OU.
Example, if a user is member of accoutning organizational unit and there is a password policy applied on that department so that users must change the password every 3 months, they will get notificaions automatically before the dateline weather they logon their email accounts or active directory computers, now if there are other departemnts where that password change period is set to 9 months, they well not get notifications as often as the accounting people.
Ho[e this helps.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

dialdnAuthor Commented:
Is there a simple way to tell if the IS/IT group are looking at mail?
0
isaman07Commented:
Check through active directiry users and computers the properties of that user by right clicking the username and choosing properties, then click the account tab and make sure that password never expires is unchecked in the account options section, because if password never expires is checked, it overrides the password policies on the organizational Unit or domain level.
0
lamaslanyCommented:
It may be that the password for person X was set more recently than everyone elses - this would set the clock back to 0 as it were.  (I think that the default is to change your password every 42 days).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dialdnAuthor Commented:
Thanks
0
isaman07Commented:
If you have access to ESM (exchange system manager) you can check who logges in the mailbox the last time. Or if there are new emails that are not bold.
0
dialdnAuthor Commented:
Will it log the last 5 or so or just the last one beyond the account owner?
0
lamaslanyCommented:
If you enable auditing you can see who made what changes and when but most of this is not enabled by default.  In addition an admin can always disable logging or obfuscate such attemps.  And as they are admins it would be trivial for them to crack your password or install a keylogger.  They could also capture the email traffic on the wire (as it comes into or out of the server).

If you cannot trust your admins you have a problem.
0
dialdnAuthor Commented:
That's the issue we need to sort out.  Thanks again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.