Mailbox Service account

Yodathejedinight
Yodathejedinight used Ask the Experts™
on
I would like to create an Account that has the ability to logon to every exchange users account and fully manage including "send as"  This is for iphone active sync setting so users do not have to change the password on the device whenever their domain passwords are required to be changed by policy.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
That's probably not the most secure tactic. It would be best to instruct your users to log in to OWA to reset the password on their accounts if they expire and they can't get to a domain joined computer. If you set things up the way you want to, any user with an iPhone could access anyone else's mailbox with no difficulty at all.

That said, you can create a generic account with a mailbox then grant permission for that account to access mailboxes and send emails. The commands to do that in the Exchange shell are as follows:
For Full access:
get-mailbox | add-mailboxpermission -user <service account name> -accessrights fullaccess

Open in new window


For send as:
get-mailbox | add-adpermission -user <service account> -extendedrights "sendas"

Open in new window

YodathejedinightIT Systems Engineer

Author

Commented:
I have tried those both but the email still does not load on the iPhone? When I send an email it arrives as sent from the specified service account and not the user the service account is authenticating to.  Please remember this is for an activesync deployment.
If your company is a public company that comes under Sarbanes Oxley or a health care provider under HIPAA, this would be a very bad thing to do with legal repercussions.   It would amount to a gaping security hole and let any savvy user, tech support person, previous IT person, that has the iPhone account password read anyone's email.  They could use that account to read email even using OWA.  I'm assuming you would never or hardly ever change this password.  What if someone outside the company got a hold of this information?  User education as to the importance of changing the password, even on the iphone is the best way to go.

Because activesync allows your email to go out to the Internet, this is about the same as not requiring users to ever change a password.  Think about this.  Your internal network is much more secure than the Internet.  If your management would go along with having a non-expiring password account to access email over the Internet, they would probably think it is OK to not change passwords on their regular accounts.  

But a never changing password is just bad, bad, security practice.  Even if your boss is asking you to do this, I would protest and explain.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
There's a special setup required to do this on an iPhone. The whole setup has to be manual and can't use Autodiscover. And each time the user sends an email they have to explicitly change the "from" address. I don't have an iPhone near me to test this with or give you instructions, but you are seriously better off not using this method. Just instruct your users to log in to Outlook Web Access and change their password from there when it expires. They will be prompted to do so automatically as long as Password Change is enabled, which can be done from the Exchange server easily enough, and is the default setting.
YodathejedinightIT Systems Engineer

Author

Commented:
I see your points but this account will be pushed out in configuration profile and no one will ever see the account credentials but myself.
Senior Systems Admin
Top Expert 2010
Commented:
Activesync doesn't generally account for users accessing mailboxes with a different account. It's a very crippled access system that does away with a lot of features, so you're going to see a lot of weirdness if you do this the way you're suggesting. It's also going to increase your workload as users get confused as hell from having to change their From: address all the time to match their actual mailbox.
YodathejedinightIT Systems Engineer

Author

Commented:
I hear all of you and I will accept it as the answer.  I will not pursue this adventure anymore, case closed.  Thanks for all the comments!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial