|
I like this approach myself and in fact recommend setting
up some sort of security system to configure this to "mailbox admins" as in most
orgs I have seen, actual mailbox maintenance at the folder level is done by
someone who isn't a service admin. Basically in the past I have set up a
website that you go into and request the access and it grants the access, it
keeps track of who was given access in a log. Then when they don't need the
access again they go back in and request it removed. If anyone requests access
but then doesn't revoke it, that shows up on a report and someone can go clean
it up or you can ask the website for what is currently delegated and have some
or all of them closed out.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, August 03, 2006 12:20 PM To: [email protected] Subject: RE: [ActiveDir] Granting Exchange Mailbox Access A different approach is for the Exch Full Admin to simply
grant him/herself Full Mailbox Access->Allow on an individual, as-needed
basis. I prefer this because it requires a conscious effort on the admin's part
to access someone else's mailbox, regardless of what your corporate use policies
state about email being the company's property. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Wednesday, August 02, 2006 5:20 PM To: [email protected] Subject: RE: [ActiveDir] Granting Exchange Mailbox Access The perm you’re looking
for is Receive As on the Mailbox store. The problem is that delegating
Exchange Full Administrator adds an explicit Deny ACE to CN=First
Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
for Receive As and that gets replicated all the way down to the mailboxes.
So even if you grant your group the required perms, if they’ve been delegated
EFA, the Deny will override it. I’d imagine you can
remove the Deny ACE manually, but we just skipped the delegation wizard and
added the ACE for Receive As for our Mailbox
Admins. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of WATSON,
BEN In an effort to cut down on service
account abuse, I’ve been removing and reducing privileges left and right.
I have delegated Exchange Full Administrator rights to a few users who had
previously been using the service account we originally installed Exchange
2003. Sometimes, the Exchange
Administrators will need to access a user’s mailbox to assist with various
issues, and I’m having trouble delegating that right to the members of the
Exchange Full Administrators group. I have created a domain security
group named simply “Exchange Full Administrators”, and I delegated Exchange Full
Administrator rights to that security group at the organizational level.
So anyone in that security group “should” have full administration rights.
I’ve had to delegate a few other rights in Active Directory for some other
reasons to this new security group (for instance to give this security group
rights to modify the dynamic mailing list OU); however I’m having trouble
finding exactly where to delegate rights to give this security group full access
to everyone’s mailbox. Any
thoughts? Thanks, ~Ben |
