At Tuesday, August 01, 2006 9:44 AM, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> Domain admins are "god" on a system. > > As a user, I am unable to access another's email box. As a domain > admin, I am "god" and can. For the sake of completeness for other readers (since I'm fairly certain you know this already), I'd like to point out that even domain admins cannot access Exchange 2000/2003 mailboxes by default. Microsoft puts in explicit deny ACes for: + Domain Admins (AD) + Enterprise Admins (AD) + Administrator (local) + Exchange Administrator role (Exchange) + Exchange Full Administrator role (Exchange) Because these Deny ACLs are applied at a higher level than the mailbox (IIRC, they're at the org level), they can be overriden by placing an explicit Allow ACL on the target mailbox, store, or server. So when Susan says that domain admins are god, she means that while they do not by default have permission to look in any mailboxes, they can fairly easily grant themselves that permission. So her points stand -- don't use a domain admin account unless you need those rights *for the task you're working on* (and drop them as soon as you don't need them) and trust your domain admins. But also audit your permissions -- modifications of these permissions will be your clue that you may have a domain admin who isn't worthy of that trust. -- Devin L. Ganger Email: [EMAIL PROTECTED] 3Sharp LLC Phone: 425.882.1032 15311 NE 90th Street Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.702.8455 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ --------------------------------------------------------------------------- ---------------------------------------------------------------------------
