Last Update: Sep 24, 2024 | Published: Jan 07, 2009
How do I grant the administrator(s) (or any other user) full mailbox right on Exchange 2000/2003 mailboxes?
In Microsoft Exchange Server 5.5, when you grant Service Account Admin privileges on the Site container to a Microsoft Windows account, you grant that account unrestricted access to all mailboxes. Because Exchange 2000 and Exchange Server 2003 do not use a service account, even accounts with Enterprise Administrators rights are denied rights to access all mailboxes, by default.
This means that Exchange Full Administrators do not have the right to open any mailbox found on any server within the Exchange organization.
In fact, if your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system.
However, unlike Exchange Server 5.5, all Exchange 2000/2003 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people s mail.
This default restriction can be overridden in several ways, but doing so should be in accordance with your organization s security and privacy policies. In most cases, using these methods is appropriate only in a recovery server environment.
Use the following procedure to grant access to an Exchange 2000 or an Exchange 2003 mailbox:
Note: You must have the appropriate Exchange administrative permissions to do so.
Note: This is not necessary on Exchange Server 2003 because of the fact that the Exchange Advanced tab is exposed by default.
Warning: If the Group or User name list is empty and you only see one line with the name of SELF – do NOT touch the permission settings before you read SELF Permission on Exchange Mailboxes.
= Bad!
= Good
Note: If the purpose of granting such access is to permit use of the EXMERGE utility (see Delete Messages from Mailboxes by using EXMERGE for an example of such a requirement), grant Receive As permissions. You can also grant Full Control permissions if you want complete access.
Use the following procedure to grant access to Exchange 2000 or an Exchange 2003 mailboxes found on a specific mailbox store:
Note: You must have the appropriate Exchange administrative permissions to do so.
Note: Make sure there is no Deny checkbox selected next to the Send As and Receive As permissions.
Use the following procedure to grant access to Exchange 2000 or an Exchange 2003 mailboxes found on a specific server:
Note: You must have the appropriate Exchange administrative permissions to do so.
Note: Make sure there is no Deny checkbox selected next to the Send As and Receive As permissions.
Note: It might take some time before the changes you
ve made will take effect. The amount of time needed is influenced by the number of domain controllers, Global Catalogs and site replication schedules and intervals. On one domain with one site containing multiple domain controllers it might take up to 15 minutes before you can begin using these new permissions. On single servers that are also DCs you can speed up the process by restarting the Information Store service.You might also want to read the following related articles:
XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000 – 262054
How to Assign Users or Groups Full Access to Other User Mailboxes – 268754