Grant Full Mailbox Rights to an Administrator on Exchange 2000/2003

Last Update: Sep 24, 2024 | Published: Jan 07, 2009

SHARE ARTICLE

How do I grant the administrator(s) (or any other user) full mailbox right on Exchange 2000/2003 mailboxes?

In Microsoft Exchange Server 5.5, when you grant Service Account Admin privileges on the Site container to a Microsoft Windows account, you grant that account unrestricted access to all mailboxes. Because Exchange 2000 and Exchange Server 2003 do not use a service account, even accounts with Enterprise Administrators rights are denied rights to access all mailboxes, by default.
This means that Exchange Full Administrators do not have the right to open any mailbox found on any server within the Exchange organization.
In fact, if your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system.
However, unlike Exchange Server 5.5, all Exchange 2000/2003 administrative tasks can be performed without having to grant an administrator sufficient rights to read other peoples mail.
This default restriction can be overridden in several ways, but doing so should be in accordance with your organizations security and privacy policies. In most cases, using these methods is appropriate only in a recovery server environment.

Granting right to a specific mailbox

Use the following procedure to grant access to an Exchange 2000 or an Exchange 2003 mailbox:
Note: You must have the appropriate Exchange administrative permissions to do so.

  1. Start Active Directory Users and Computers.
  2. On the View menu, ensure that the Advanced Features check box is selected.

Note: This is not necessary on Exchange Server 2003 because of the fact that the Exchange Advanced tab is exposed by default.

  1. Right-click the user whose mailbox you want to give permissions to and choose Properties.

  1. On the Exchange Advanced tab, click Mailbox Rights.

  1. Notice that the Domain Admins and Enterprise Admins have both been given Deny access to Full Mailbox access.
  2. Click Add, click the user or group who you want to have access to this mailbox, and then click OK.
  3. Be sure that the user or group is selected in the Name box.
  4. In the Permissions list, click Allow next to Full Mailbox Access, and then click OK.

  1. Click Ok all the way out.

Warning: If the Group or User name list is empty and you only see one line with the name of SELF – do NOT touch the permission settings before you read SELF Permission on Exchange Mailboxes.
= Bad!
= Good
Note: If the purpose of granting such access is to permit use of the EXMERGE utility (see Delete Messages from Mailboxes by using EXMERGE for an example of such a requirement), grant Receive As permissions. You can also grant Full Control permissions if you want complete access.

Granting right to a mailboxes located within a specific mailbox store

Use the following procedure to grant access to Exchange 2000 or an Exchange 2003 mailboxes found on a specific mailbox store:

Note: You must have the appropriate Exchange administrative permissions to do so.

  1. Start Exchange System Manager.
  2. Drill down to your server object within the appropriate Administrative Group. Expand the server object and find the required mailbox store within the appropriate Storage Group. Right-click it and choose Properties.

  1. In the Properties window go to the Security tab.
  2. Click Add, click the user or group who you want to have access to the mailboxes, and then click OK.
  3. Be sure that the user or group is selected in the Name box.
  4. In the Permissions list, click Allow next to Full Control, and then click OK.

Note: Make sure there is no Deny checkbox selected next to the Send As and Receive As permissions.

  1. Click Ok all the way out.

Granting right to a mailboxes located on a specific server

Use the following procedure to grant access to Exchange 2000 or an Exchange 2003 mailboxes found on a specific server:
Note: You must have the appropriate Exchange administrative permissions to do so.

  1. Start Exchange System Manager.
  2. Drill down to your server object within the appropriate Administrative Group. Right-click it and choose Properties.

  1. In the Properties window go to the Security tab.
  2. Click Add, click the user or group who you want to have access to the mailboxes, and then click OK.
  3. Be sure that the user or group is selected in the Name box.
  4. In the Permissions list, click Allow next to Full Control, and then click OK.

Note: Make sure there is no Deny checkbox selected next to the Send As and Receive As permissions.

  1. Click Ok all the way out.

Note: It might take some time before the changes youve made will take effect. The amount of time needed is influenced by the number of domain controllers, Global Catalogs and site replication schedules and intervals. On one domain with one site containing multiple domain controllers it might take up to 15 minutes before you can begin using these new permissions. On single servers that are also DCs you can speed up the process by restarting the Information Store service.

Related articles

You might also want to read the following related articles:

Links

XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000 – 262054link out ico
How to Assign Users or Groups Full Access to Other User Mailboxes – 268754link out ico

SHARE ARTICLE