RE: [ActiveDir] Granting Exchange Mailbox Access

[Coleman, Hunter]

Check to see if someone removed the explicit Deny for the individual account on Send-As/Receive-As at the Exchange Org level, and if not whether it's getting overridden by an explicit Allow further down the hierarchy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, August 03, 2006 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Granting Exchange Mailbox Access That’s actually a very good idea, and I may enforce that on them.  I suppose if anything, my curiosity is getting the best of me and I’m really wondering what is different between that delegated security group and the individual account that installed Exchange which is granting full mailbox access across the board.   I just can’t find anything that actually is different between the two.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, August 03, 2006 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Granting Exchange Mailbox Access   A different approach is for the Exch Full Admin to simply grant him/herself Full Mailbox Access->Allow on an individual, as-needed basis. I prefer this because it requires a conscious effort on the admin's part to access someone else's mailbox, regardless of what your corporate use policies state about email being the company's property.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Wednesday, August 02, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Granting Exchange Mailbox Access The perm you’re looking for is Receive As on the Mailbox store.  The problem is that delegating Exchange Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that gets replicated all the way down to the mailboxes.  So even if you grant your group the required perms, if they’ve been delegated EFA, the Deny will override it.   I’d imagine you can remove the Deny ACE manually, but we just skipped the delegation wizard and added the ACE for Receive As for our Mailbox Admins.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, August 02, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Granting Exchange Mailbox Access   In an effort to cut down on service account abuse, I’ve been removing and reducing privileges left and right.  I have delegated Exchange Full Administrator rights to a few users who had previously been using the service account we originally installed Exchange 2003.   Sometimes, the Exchange Administrators will need to access a user’s mailbox to assist with various issues, and I’m having trouble delegating that right to the members of the Exchange Full Administrators group.   I have created a domain security group named simply “Exchange Full Administrators”, and I delegated Exchange Full Administrator rights to that security group at the organizational level.  So anyone in that security group “should” have full administration rights.  I’ve had to delegate a few other rights in Active Directory for some other reasons to this new security group (for instance to give this security group rights to modify the dynamic mailing list OU); however I’m having trouble finding exactly where to delegate rights to give this security group full access to everyone’s mailbox.   Any thoughts?   Thanks, ~Ben