|
That’s actually a very good idea,
and I may enforce that on them. I suppose if anything, my curiosity is getting
the best of me and I’m really wondering what is different between that
delegated security group and the individual account that installed Exchange
which is granting full mailbox access across the board. I just can’t find anything that
actually is different between the two. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter A different approach is for the Exch Full
Admin to simply grant him/herself Full Mailbox Access->Allow on an
individual, as-needed basis. I prefer this because it requires a conscious
effort on the admin's part to access someone else's mailbox, regardless of what
your corporate use policies state about email being the company's property. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott The perm you’re looking for is
Receive As on the Mailbox store. The problem is that delegating Exchange
Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that
gets replicated all the way down to the mailboxes. So even if you grant
your group the required perms, if they’ve been delegated EFA, the Deny
will override it. I’d imagine you can remove the Deny
ACE manually, but we just skipped the delegation wizard and added the ACE for
Receive As for our Mailbox Admins. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN In an effort to cut down on service account abuse,
I’ve been removing and reducing privileges left and right. I have
delegated Exchange Full Administrator rights to a few users who had previously
been using the service account we originally installed Exchange 2003. Sometimes, the Exchange Administrators will need to access a
user’s mailbox to assist with various issues, and I’m having
trouble delegating that right to the members of the Exchange Full
Administrators group. I have created a domain security group named simply
“Exchange Full Administrators”, and I delegated Exchange Full
Administrator rights to that security group at the organizational level.
So anyone in that security group “should” have full administration
rights. I’ve had to delegate a few other rights in Active Directory
for some other reasons to this new security group (for instance to give this
security group rights to modify the dynamic mailing list OU); however I’m
having trouble finding exactly where to delegate rights to give this security
group full access to everyone’s mailbox. Any thoughts? Thanks, ~Ben |
- Re: RE: [ActiveDir] Granting Exchange Mailbox Access victor-w
- RE: [ActiveDir] Granting Exchange Mailbox Access WATSON, BEN
- RE: [ActiveDir] Granting Exchange Mailbox Access Coleman, Hunter
- RE: [ActiveDir] Granting Exchange Mailbox Access WATSON, BEN
- RE: [ActiveDir] Granting Exchange Mailbox Access joe
