Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
new mailboxes cany be accessed by domain admins
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
new mailboxes cany be accessed by domain admins - 6.Jun.2008 12:13:36 PM
|
|
|
misamisa
Posts: 2
Joined: 6.Jun.2008
Status: offline
|
we just added a exch2k3 sp2 server ent into our org, on new hardware, on win2k3 ent sp2. i had full mailbox access throughout the entire org before we added the exch2k3 server.
only a user that has been granted full exchange access to all mailboxes in ESM and is NOT a domain admin or enterpirse admin can access the mailboxes. this special account is a domain user and account operator.
i am a domain admin and have full access to all the mailboxes, but can only access users that were in the exchange org when we started with exchange55.
Any new user that was created when we had exch2k/2k3 can NOT be accessed by a domain admin with full mailbox access. The special account i mentioned, can access all mailboxes regardless of when they were created.
the exchange55 migration was completed about 4 years ago, and we have been on exch2k ever since.
we tried to apply some hotfixes for regarding a sendas issue, but that didnt work.
Any help would be appreciated, Thank you
|
|
|
|
|
RE: new mailboxes cany be accessed by domain admins - 6.Jun.2008 6:37:52 PM
|
|
|
Sembee
Posts: 3574
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
I would be looking at permission inheritance. I expect the old accounts aren't inheriting permissions correctly.
The behaviour you are seeing is what I would expect. Domain Admins have an explicit deny on Full Mailbox Access. The deny overrides the allow.
If I was creating an account for full mailbox access (for example BESADMIN or an account to run exmerge) it would not be a domain admin or administrator of the Exchange server to ensure that it doesn't get the explicit deny.
I come from the school that believes an exchange administrator doesn't need full access to all mailboxes to do their job. It is not a permission I have ever asked for or been given. I don't want the finger pointed at me when something goes wrong.
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
