Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Mailbox Service account

Posted on 2014-03-03
7
Medium Priority
?
434 Views
Last Modified: 2014-03-03
I would like to create an Account that has the ability to logon to every exchange users account and fully manage including "send as"  This is for iphone active sync setting so users do not have to change the password on the device whenever their domain passwords are required to be changed by policy.
0
Comment
Question by:Yodathejedinight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 42

Expert Comment

by:Adam Brown
ID: 39901691
That's probably not the most secure tactic. It would be best to instruct your users to log in to OWA to reset the password on their accounts if they expire and they can't get to a domain joined computer. If you set things up the way you want to, any user with an iPhone could access anyone else's mailbox with no difficulty at all.

That said, you can create a generic account with a mailbox then grant permission for that account to access mailboxes and send emails. The commands to do that in the Exchange shell are as follows:
For Full access:
get-mailbox | add-mailboxpermission -user <service account name> -accessrights fullaccess

Open in new window


For send as:
get-mailbox | add-adpermission -user <service account> -extendedrights "sendas"

Open in new window

0
 

Author Comment

by:Yodathejedinight
ID: 39901712
I have tried those both but the email still does not load on the iPhone? When I send an email it arrives as sent from the specified service account and not the user the service account is authenticating to.  Please remember this is for an activesync deployment.
0
 
LVL 4

Expert Comment

by:aa-denver
ID: 39901723
If your company is a public company that comes under Sarbanes Oxley or a health care provider under HIPAA, this would be a very bad thing to do with legal repercussions.   It would amount to a gaping security hole and let any savvy user, tech support person, previous IT person, that has the iPhone account password read anyone's email.  They could use that account to read email even using OWA.  I'm assuming you would never or hardly ever change this password.  What if someone outside the company got a hold of this information?  User education as to the importance of changing the password, even on the iphone is the best way to go.

Because activesync allows your email to go out to the Internet, this is about the same as not requiring users to ever change a password.  Think about this.  Your internal network is much more secure than the Internet.  If your management would go along with having a non-expiring password account to access email over the Internet, they would probably think it is OK to not change passwords on their regular accounts.  

But a never changing password is just bad, bad, security practice.  Even if your boss is asking you to do this, I would protest and explain.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 42

Expert Comment

by:Adam Brown
ID: 39901750
There's a special setup required to do this on an iPhone. The whole setup has to be manual and can't use Autodiscover. And each time the user sends an email they have to explicitly change the "from" address. I don't have an iPhone near me to test this with or give you instructions, but you are seriously better off not using this method. Just instruct your users to log in to Outlook Web Access and change their password from there when it expires. They will be prompted to do so automatically as long as Password Change is enabled, which can be done from the Exchange server easily enough, and is the default setting.
0
 

Author Comment

by:Yodathejedinight
ID: 39901756
I see your points but this account will be pushed out in configuration profile and no one will ever see the account credentials but myself.
0
 
LVL 42

Accepted Solution

by:
Adam Brown earned 1500 total points
ID: 39901766
Activesync doesn't generally account for users accessing mailboxes with a different account. It's a very crippled access system that does away with a lot of features, so you're going to see a lot of weirdness if you do this the way you're suggesting. It's also going to increase your workload as users get confused as hell from having to change their From: address all the time to match their actual mailbox.
0
 

Author Comment

by:Yodathejedinight
ID: 39901792
I hear all of you and I will accept it as the answer.  I will not pursue this adventure anymore, case closed.  Thanks for all the comments!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question