Prohibit users of an Exchange 2013 account to delete **any** message

In an Exchange 2013 environment an account was created for specific legal issues. The user of that account shall be able to read and send mails, but shall not be able to delete or modify any message.

Is there a way to achieve this?

I am aware that external archiving solutions exist. These are already in place. I'm also aware of the Exchange dumpster and recovery bin, but I want to avoid that messages get there in the first place. Deletion and modifications rights shall be removed right in OWA/Outlook/POP/IMAP etc.

Thanks for your ideas.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You could give them more granular permissions such as send-as and then grant read access for the inbox folder using Set-MailboxFolderPermission.
StaudteAuthor Commented:
@Amit: AfaIk this only makes sure that deleted items are never removed from Exchange's  Recoverable Items folder. It does not prohibit that the user deletes messages in the beginning.

@VPetersen: This is concerning the user's own personal mailbox to which he directly logs on to. AfaIk such access rights limitations can only be set to delegated mailboxes. Or how can I set permissions that limit the rights of the owner of a mailbox?
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

AmitIT ArchitectCommented:
This is the way in Exchange we put account on legal hold. I suggest you to test it on a test mailbox and try all option.
StaudteAuthor Commented:
Are you certain that it stops users from deleting messages???

In-Place-Hold is specified as such:
When content is placed on hold, Exchange automatically captures any attempts to edit or delete or delete data and stores those items in a hidden folder in the mailbox. It's completely invisible to the end-users so it doesn't interrupt their daily workflow, but it does keep that important data for recovery later.
(from here)

And the old litigation hold is specified here as
When a user's mailbox is put on litigation hold, the user can delete items from their mailbox but the items are retained by Exchange.

Neither is what I need. I must stop the deletion as such, not just be able to recover what was deleted.
AmitIT ArchitectCommented:
Think logically, how can you stop mailbox owner from deleting emails, as mailbox owners has full control over their mailbox.
StaudteAuthor Commented:
That is exactly the point. Is there a way to remove some of these full rights from the mailbox owner? Exchange (roles), NTFS, AD, etc. have fine granularity over what rights a user has. Pretty much everything can be restricted. I have a gut feeling that I should be able to remove delete-permission from the owner of a mailbox. (And also the rights to re-gain this delete-permission, of course.)
Will SzymkowskiSenior Solution ArchitectCommented:
That is exactly the point. Is there a way to remove some of these full rights from the mailbox owner?
When you provide a user access to a mailbox they have the rights to delete messages. As Amit has already stated, you can use legal hold on a specific mailbox to accomplish this.

You need to make sure that when you enable this on a mailbox that it requires an Exchange Enterprise CAL for this feature.

This is a per mailbox instance.

StaudteAuthor Commented:
@Will: I do not think that using legal hold accomplishes that a user can not delete mails. I think that a user can still delete mails, but that they are retained in a hidden folder so that they can be recovered by an admin. (See the quotes of the two technet-blogs I quoted above.)

What makes you say that legal hold stops users from deleting mails? (Other than that Amit has stated that, too.) It is in clear contradiction to technet...?!
AmitIT ArchitectCommented:

What is your end goal by restricting users from deleting emails?
StaudteAuthor Commented:
The user of this particular mailbox shall under no circumstance be able to delete or modify any mail in this mailbox.

Being able to recover deleted mails is NOT sufficient.
AmitIT ArchitectCommented:
There is no such feature available in Exchange server. Only option is to put mailbox on legal hold. Better you open case with MS and tell them your requirement. Check, if they have any such option available.
StaudteAuthor Commented:
Let me add, that this is a management requirement.
StaudteAuthor Commented:
Sorry, overlapped with your answer
AmitIT ArchitectCommented:
I know, it is management requirement and that's why legal hold option given in Exchange and that what all company uses. If you open MS case also, they will also suggest you same option. However, you can give a try with MS once.
Will SzymkowskiSenior Solution ArchitectCommented:
@Will: I do not think that using legal hold accomplishes that a user can not delete mails. I think that a user can still

There is no way to completely stop a user from deleting email from an inbox. There are methods to recover the mail once delete i.e. Legal Hold, but that is it.

Unfortunately this is by design. If a user cannot delete email then the mailbox would always hit a quota and could not be managed by the end user.

Exchange is designed to allow the individual to manage their own mailbox accordingly.

So to your question, it cannot be done. As stated there are methods to keep the email if the email is deleted by the user but that is it.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AmitIT ArchitectCommented:
Surprised, I gave the right answer and you didn't selected my answer. Strange.
Will SzymkowskiSenior Solution ArchitectCommented:
I guess ultimately, I had stated that what the user was looking for is not possible. Yes a legal hold is a way around this but it does not stop a user from deleting email from the mailbox itself. So ultimately Legal hold is not the solution. The user's question is not possible.

Which I have outlined and described.

AmitIT ArchitectCommented:
Hi Will,

I don't think Staudte knows what option are available in Exchange. That's why Staudte posted question here. Legal hold is the right way to accomplish this. You and I know very well, how legal hold is used. The purpose of legal hold is not to tell user, that your mailbox is under legal scanning. That will alert the user. Legal hold is designed in such a way, that user shouldn't know that his or her mailbox is put on legal hold. Let user continue normal work and data will be still saved for legal recovery.

StaudteAuthor Commented:

I have - in the original question and several times in the course of the discussion - stated, that the goal is to prohibit the user deleting mails in the beginning, and that it is not sufficient to be able to retrieve the messages again that the user has deleted. The latter is what is provided through legal hold. You have reiterated several times to use legal hold (which I have excluded as a solution) or to open a call with Microsoft to see if they have an option (which is not why I consulted EE). Consequently, you have not really provided much new information to answer the original question: Make it impossible to delete messages.

Will, on the other hand, has stated clearly that "it can not be done". Period. Although that, too, did effectively not solve the problem, it was the only concise answer I have received. And it made me stop any further efforts to reach the goal. On that end, Will has indeed provided the best possible answer to the problem. (Recalling that I did not ask for alternative ways to reach part of my goal, it's either that (make it impossible to delete) or nothing (which is what I ended up with).)

Again, thanks for your efforts here, but Will provided the correct answer.

AmitIT ArchitectCommented:
Thanks for the explanation. Look like, I should give the answer user is expecting and avoid given extra solution. Lesson learned, I will keep this in my mind.
StaudteAuthor Commented:
Well, please don't be disappointed. I interpret your comment as being somewhat sarcastic. Now, looking back at the discussion, had you answered

What you want to achieve is not possible. Users will always have the rights to delete (and modify) messages. You can not change that. All you can do is enable legal hold on the accounts, which allows you to recover any such deleted messages (or the original before modification) at any time.
you would have answered my question AND would have supplied valuable extra information AND would have gotten the green thumbs up.
AmitIT ArchitectCommented:
Got the point :)
StaudteAuthor Commented:
eenookami, Amit,

I fully agree and sure hope that you, Amit, didn't get me wrong: I have much appreciated your efforts - you just didn't say way I needed to hear. Absolutely no pun intended!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.