|
Nice pointer Hunter! I had forgotten that
tidbit of info I learned awhile ago that a deny doesn’t always override a
grant privilege. There was indeed an explicit grant privilege set at the
server level for that individual user account which overrides the deny
privilege set at the organizational level which had propagated downward. I
granted my Exchange Full Administrators security group the same grant privilege
that the individual account had at the server level, and now everything is
working as I was hoping. Thanks to everyone that responded! ~Ben From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Check to see if someone removed the
explicit Deny for the individual account on Send-As/Receive-As at the Exchange
Org level, and if not whether it's getting overridden by an explicit Allow
further down the hierarchy. From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of WATSON, BEN That’s actually a very good idea,
and I may enforce that on them. I suppose if anything, my curiosity is
getting the best of me and I’m really wondering what is different between
that delegated security group and the individual account that installed
Exchange which is granting full mailbox access across the board. I just can’t find anything that
actually is different between the two. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter A different approach is for the Exch Full
Admin to simply grant him/herself Full Mailbox Access->Allow on an
individual, as-needed basis. I prefer this because it requires a conscious
effort on the admin's part to access someone else's mailbox, regardless of what
your corporate use policies state about email being the company's property. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott The perm you’re looking for is
Receive As on the Mailbox store. The problem is that delegating Exchange
Full Administrator adds an explicit Deny ACE to CN=First
Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that
gets replicated all the way down to the mailboxes. So even if you grant
your group the required perms, if they’ve been delegated EFA, the Deny
will override it. I’d imagine you can remove the Deny
ACE manually, but we just skipped the delegation wizard and added the ACE for
Receive As for our Mailbox Admins. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN In an effort to cut down on service account abuse,
I’ve been removing and reducing privileges left and right. I have
delegated Exchange Full Administrator rights to a few users who had previously
been using the service account we originally installed Exchange 2003. Sometimes, the Exchange Administrators will need to access a
user’s mailbox to assist with various issues, and I’m having
trouble delegating that right to the members of the Exchange Full
Administrators group. I have created a domain security group named simply “Exchange
Full Administrators”, and I delegated Exchange Full Administrator rights
to that security group at the organizational level. So anyone in that
security group “should” have full administration rights.
I’ve had to delegate a few other rights in Active Directory for some
other reasons to this new security group (for instance to give this security
group rights to modify the dynamic mailing list OU); however I’m having
trouble finding exactly where to delegate rights to give this security group
full access to everyone’s mailbox. Any thoughts? Thanks, ~Ben |
- Re: RE: [ActiveDir] Granting Exchange Mailbox Access victor-w
- RE: [ActiveDir] Granting Exchange Mailbox Access WATSON, BEN
- RE: [ActiveDir] Granting Exchange Mailbox Access Coleman, Hunter
- RE: [ActiveDir] Granting Exchange Mailbox Access WATSON, BEN
- RE: [ActiveDir] Granting Exchange Mailbox Access joe
