Solved

Mailbox Service account

Posted on 2014-03-03
7
421 Views
Last Modified: 2014-03-03
I would like to create an Account that has the ability to logon to every exchange users account and fully manage including "send as"  This is for iphone active sync setting so users do not have to change the password on the device whenever their domain passwords are required to be changed by policy.
0
Comment
Question by:Yodathejedinight
  • 3
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 39901691
That's probably not the most secure tactic. It would be best to instruct your users to log in to OWA to reset the password on their accounts if they expire and they can't get to a domain joined computer. If you set things up the way you want to, any user with an iPhone could access anyone else's mailbox with no difficulty at all.

That said, you can create a generic account with a mailbox then grant permission for that account to access mailboxes and send emails. The commands to do that in the Exchange shell are as follows:
For Full access:
get-mailbox | add-mailboxpermission -user <service account name> -accessrights fullaccess

Open in new window


For send as:
get-mailbox | add-adpermission -user <service account> -extendedrights "sendas"

Open in new window

0
 

Author Comment

by:Yodathejedinight
ID: 39901712
I have tried those both but the email still does not load on the iPhone? When I send an email it arrives as sent from the specified service account and not the user the service account is authenticating to.  Please remember this is for an activesync deployment.
0
 
LVL 4

Expert Comment

by:aa-denver
ID: 39901723
If your company is a public company that comes under Sarbanes Oxley or a health care provider under HIPAA, this would be a very bad thing to do with legal repercussions.   It would amount to a gaping security hole and let any savvy user, tech support person, previous IT person, that has the iPhone account password read anyone's email.  They could use that account to read email even using OWA.  I'm assuming you would never or hardly ever change this password.  What if someone outside the company got a hold of this information?  User education as to the importance of changing the password, even on the iphone is the best way to go.

Because activesync allows your email to go out to the Internet, this is about the same as not requiring users to ever change a password.  Think about this.  Your internal network is much more secure than the Internet.  If your management would go along with having a non-expiring password account to access email over the Internet, they would probably think it is OK to not change passwords on their regular accounts.  

But a never changing password is just bad, bad, security practice.  Even if your boss is asking you to do this, I would protest and explain.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 38

Expert Comment

by:Adam Brown
ID: 39901750
There's a special setup required to do this on an iPhone. The whole setup has to be manual and can't use Autodiscover. And each time the user sends an email they have to explicitly change the "from" address. I don't have an iPhone near me to test this with or give you instructions, but you are seriously better off not using this method. Just instruct your users to log in to Outlook Web Access and change their password from there when it expires. They will be prompted to do so automatically as long as Password Change is enabled, which can be done from the Exchange server easily enough, and is the default setting.
0
 

Author Comment

by:Yodathejedinight
ID: 39901756
I see your points but this account will be pushed out in configuration profile and no one will ever see the account credentials but myself.
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 39901766
Activesync doesn't generally account for users accessing mailboxes with a different account. It's a very crippled access system that does away with a lot of features, so you're going to see a lot of weirdness if you do this the way you're suggesting. It's also going to increase your workload as users get confused as hell from having to change their From: address all the time to match their actual mailbox.
0
 

Author Comment

by:Yodathejedinight
ID: 39901792
I hear all of you and I will accept it as the answer.  I will not pursue this adventure anymore, case closed.  Thanks for all the comments!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now