Mailbox Service account

I would like to create an Account that has the ability to logon to every exchange users account and fully manage including "send as"  This is for iphone active sync setting so users do not have to change the password on the device whenever their domain passwords are required to be changed by policy.
YodathejedinightIT Systems EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
That's probably not the most secure tactic. It would be best to instruct your users to log in to OWA to reset the password on their accounts if they expire and they can't get to a domain joined computer. If you set things up the way you want to, any user with an iPhone could access anyone else's mailbox with no difficulty at all.

That said, you can create a generic account with a mailbox then grant permission for that account to access mailboxes and send emails. The commands to do that in the Exchange shell are as follows:
For Full access:
get-mailbox | add-mailboxpermission -user <service account name> -accessrights fullaccess

Open in new window


For send as:
get-mailbox | add-adpermission -user <service account> -extendedrights "sendas"

Open in new window

0
YodathejedinightIT Systems EngineerAuthor Commented:
I have tried those both but the email still does not load on the iPhone? When I send an email it arrives as sent from the specified service account and not the user the service account is authenticating to.  Please remember this is for an activesync deployment.
0
aa-denverCommented:
If your company is a public company that comes under Sarbanes Oxley or a health care provider under HIPAA, this would be a very bad thing to do with legal repercussions.   It would amount to a gaping security hole and let any savvy user, tech support person, previous IT person, that has the iPhone account password read anyone's email.  They could use that account to read email even using OWA.  I'm assuming you would never or hardly ever change this password.  What if someone outside the company got a hold of this information?  User education as to the importance of changing the password, even on the iphone is the best way to go.

Because activesync allows your email to go out to the Internet, this is about the same as not requiring users to ever change a password.  Think about this.  Your internal network is much more secure than the Internet.  If your management would go along with having a non-expiring password account to access email over the Internet, they would probably think it is OK to not change passwords on their regular accounts.  

But a never changing password is just bad, bad, security practice.  Even if your boss is asking you to do this, I would protest and explain.
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Adam BrownSr Solutions ArchitectCommented:
There's a special setup required to do this on an iPhone. The whole setup has to be manual and can't use Autodiscover. And each time the user sends an email they have to explicitly change the "from" address. I don't have an iPhone near me to test this with or give you instructions, but you are seriously better off not using this method. Just instruct your users to log in to Outlook Web Access and change their password from there when it expires. They will be prompted to do so automatically as long as Password Change is enabled, which can be done from the Exchange server easily enough, and is the default setting.
0
YodathejedinightIT Systems EngineerAuthor Commented:
I see your points but this account will be pushed out in configuration profile and no one will ever see the account credentials but myself.
0
Adam BrownSr Solutions ArchitectCommented:
Activesync doesn't generally account for users accessing mailboxes with a different account. It's a very crippled access system that does away with a lot of features, so you're going to see a lot of weirdness if you do this the way you're suggesting. It's also going to increase your workload as users get confused as hell from having to change their From: address all the time to match their actual mailbox.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YodathejedinightIT Systems EngineerAuthor Commented:
I hear all of you and I will accept it as the answer.  I will not pursue this adventure anymore, case closed.  Thanks for all the comments!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.