Mailbox Service account

Posted on 2014-03-03
Last Modified: 2014-03-03
I would like to create an Account that has the ability to logon to every exchange users account and fully manage including "send as"  This is for iphone active sync setting so users do not have to change the password on the device whenever their domain passwords are required to be changed by policy.
Question by:Yodathejedinight
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 41

Expert Comment

by:Adam Brown
ID: 39901691
That's probably not the most secure tactic. It would be best to instruct your users to log in to OWA to reset the password on their accounts if they expire and they can't get to a domain joined computer. If you set things up the way you want to, any user with an iPhone could access anyone else's mailbox with no difficulty at all.

That said, you can create a generic account with a mailbox then grant permission for that account to access mailboxes and send emails. The commands to do that in the Exchange shell are as follows:
For Full access:
get-mailbox | add-mailboxpermission -user <service account name> -accessrights fullaccess

Open in new window

For send as:
get-mailbox | add-adpermission -user <service account> -extendedrights "sendas"

Open in new window


Author Comment

ID: 39901712
I have tried those both but the email still does not load on the iPhone? When I send an email it arrives as sent from the specified service account and not the user the service account is authenticating to.  Please remember this is for an activesync deployment.

Expert Comment

ID: 39901723
If your company is a public company that comes under Sarbanes Oxley or a health care provider under HIPAA, this would be a very bad thing to do with legal repercussions.   It would amount to a gaping security hole and let any savvy user, tech support person, previous IT person, that has the iPhone account password read anyone's email.  They could use that account to read email even using OWA.  I'm assuming you would never or hardly ever change this password.  What if someone outside the company got a hold of this information?  User education as to the importance of changing the password, even on the iphone is the best way to go.

Because activesync allows your email to go out to the Internet, this is about the same as not requiring users to ever change a password.  Think about this.  Your internal network is much more secure than the Internet.  If your management would go along with having a non-expiring password account to access email over the Internet, they would probably think it is OK to not change passwords on their regular accounts.  

But a never changing password is just bad, bad, security practice.  Even if your boss is asking you to do this, I would protest and explain.
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

LVL 41

Expert Comment

by:Adam Brown
ID: 39901750
There's a special setup required to do this on an iPhone. The whole setup has to be manual and can't use Autodiscover. And each time the user sends an email they have to explicitly change the "from" address. I don't have an iPhone near me to test this with or give you instructions, but you are seriously better off not using this method. Just instruct your users to log in to Outlook Web Access and change their password from there when it expires. They will be prompted to do so automatically as long as Password Change is enabled, which can be done from the Exchange server easily enough, and is the default setting.

Author Comment

ID: 39901756
I see your points but this account will be pushed out in configuration profile and no one will ever see the account credentials but myself.
LVL 41

Accepted Solution

Adam Brown earned 500 total points
ID: 39901766
Activesync doesn't generally account for users accessing mailboxes with a different account. It's a very crippled access system that does away with a lot of features, so you're going to see a lot of weirdness if you do this the way you're suggesting. It's also going to increase your workload as users get confused as hell from having to change their From: address all the time to match their actual mailbox.

Author Comment

ID: 39901792
I hear all of you and I will accept it as the answer.  I will not pursue this adventure anymore, case closed.  Thanks for all the comments!

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to:…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question