Exchange Server

Grant Full Mailbox Rights to an Administrator on Exchange 2000/2003

How do I grant the administrator(s) (or any other user) full mailbox right on Exchange 2000/2003 mailboxes?

In Microsoft Exchange Server 5.5, when you grant Service Account Admin privileges on the Site container to a Microsoft Windows account, you grant that account unrestricted access to all mailboxes. Because Exchange 2000 and Exchange Server 2003 do not use a service account, even accounts with Enterprise Administrators rights are denied rights to access all mailboxes, by default.

This means that Exchange Full Administrators do not have the right to open any mailbox found on any server within the Exchange organization.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

In fact, if your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system.

However, unlike Exchange Server 5.5, all Exchange 2000/2003 administrative tasks can be performed without having to grant an administrator sufficient rights to read other peoples mail.

This default restriction can be overridden in several ways, but doing so should be in accordance with your organizations security and privacy policies. In most cases, using these methods is appropriate only in a recovery server environment.

Granting right to a specific mailbox

Use the following procedure to grant access to an Exchange 2000 or an Exchange 2003 mailbox:

Note: You must have the appropriate Exchange administrative permissions to do so.

  1. Start Active Directory Users and Computers.
  2. On the View menu, ensure that the Advanced Features check box is selected.

Note: This is not necessary on Exchange Server 2003 because of the fact that the Exchange Advanced tab is exposed by default.

  1. Right-click the user whose mailbox you want to give permissions to and choose Properties.

  1. On the Exchange Advanced tab, click Mailbox Rights.

  1. Notice that the Domain Admins and Enterprise Admins have both been given Deny access to Full Mailbox access.
  2. Click Add, click the user or group who you want to have access to this mailbox, and then click OK.
  3. Be sure that the user or group is selected in the Name box.
  4. In the Permissions list, click Allow next to Full Mailbox Access, and then click OK.

  1. Click Ok all the way out.

Warning: If the Group or User name list is empty and you only see one line with the name of SELF – do NOT touch the permission settings before you read SELF Permission on Exchange Mailboxes.

= Bad!

= Good

Note: If the purpose of granting such access is to permit use of the EXMERGE utility (see Delete Messages from Mailboxes by using EXMERGE for an example of such a requirement), grant Receive As permissions. You can also grant Full Control permissions if you want complete access.

Granting right to a mailboxes located within a specific mailbox store

Use the following procedure to grant access to Exchange 2000 or an Exchange 2003 mailboxes found on a specific mailbox store:

Note: You must have the appropriate Exchange administrative permissions to do so.

  1. Start Exchange System Manager.
  2. Drill down to your server object within the appropriate Administrative Group. Expand the server object and find the required mailbox store within the appropriate Storage Group. Right-click it and choose Properties.

  1. In the Properties window go to the Security tab.
  2. Click Add, click the user or group who you want to have access to the mailboxes, and then click OK.
  3. Be sure that the user or group is selected in the Name box.
  4. In the Permissions list, click Allow next to Full Control, and then click OK.

Note: Make sure there is no Deny checkbox selected next to the Send As and Receive As permissions.

  1. Click Ok all the way out.

Granting right to a mailboxes located on a specific server

Use the following procedure to grant access to Exchange 2000 or an Exchange 2003 mailboxes found on a specific server:

Note: You must have the appropriate Exchange administrative permissions to do so.

  1. Start Exchange System Manager.
  2. Drill down to your server object within the appropriate Administrative Group. Right-click it and choose Properties.

  1. In the Properties window go to the Security tab.
  2. Click Add, click the user or group who you want to have access to the mailboxes, and then click OK.
  3. Be sure that the user or group is selected in the Name box.
  4. In the Permissions list, click Allow next to Full Control, and then click OK.

Note: Make sure there is no Deny checkbox selected next to the Send As and Receive As permissions.

  1. Click Ok all the way out.

Note: It might take some time before the changes youve made will take effect. The amount of time needed is influenced by the number of domain controllers, Global Catalogs and site replication schedules and intervals. On one domain with one site containing multiple domain controllers it might take up to 15 minutes before you can begin using these new permissions. On single servers that are also DCs you can speed up the process by restarting the Information Store service.

Related articles

You might also want to read the following related articles:

Links

XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000 – 262054

How to Assign Users or Groups Full Access to Other User Mailboxes – 268754

Related Topics:

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

 
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: