How to get service account access to all mailboxes in Exchange 2000 (262054)


The information in this article applies to:

  • Microsoft Exchange 2000 Server
This article was previously published under Q262054

SUMMARY

In Microsoft Exchange Server 5.5, when you grant Service Account Admin privileges on the Site container to a Microsoft Windows account, you grant that account unrestricted access to all mailboxes. In Exchange 2000, there is no service account, and even accounts with Enterprise Administrators rights are denied rights to access all mailboxes, by default.

In some cases (for example, offline recovery of an entire mailbox database), it may still be useful to grant permissions to all mailboxes without having to explicitly do it mailbox by mailbox. This article explains how to do this.

Note Do not use this procedure in a production environment to allow unauthorized access to user data in violation of corporate policies regarding privacy and security. Implement an auditing plan on your network to detect and record improper use of network privileges by system administrators.

MORE INFORMATION

If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. Unlike Exchange Server 5.5, all Exchange 2000 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail.

This default restriction can be overridden in several ways, but again, doing so should be in accordance with your organization's security and privacy policies. In most cases, using these methods is appropriate only in a recovery server environment.

Method One

If you are NOT the Administrator, or a member of the Domain Admins or Enterprise Admins groups, then you can add your account to the Exchange Services or Exchange Domain Servers groups, and you will be allowed full access to all mailboxes on servers in the domain.

Note The Exchange Services group may not exist if you have never deployed the Active Directory Connector in your organization.

Method Two

To grant your administrative account access through Exchange System Manager to all the mailboxes that are in a single database (regardless of inherited explicit denials), follow these steps:
  1. Create an appropriately-scoped security group in the Microsoft Active Directory directory service. For example, create a global security group that is named EXCHANGE_RECOVERY.
  2. Add the group or the user account (or user accounts) that you want to use for general mailbox access to this security group. You must log off and then log back on before your membership in this group takes effect.
  3. In Exchange System Manager, grant this security group permissions on the database or server object that contains the mailboxes that you want to access. If the purpose of granting such access is to permit use of the ExMerge utility, grant Receive As permissions. You can also grant Full Control permissions if you want complete access.
After you change these permissions, it may take some time before they take effect. Previous permissions might be cached by the local Exchange server for up to 15 minutes. You can stop and then start the Information Store service to clear local caching. You can also stop and then start all Exchange services to clear local caching. If there are multiple domain controllers in your Active Directory forest, domain replication latency might also extend the time that it takes for the permission changes to take effect. Therefore, when you design recovery procedures, it is a good idea to make the permission changes that are required as early as possible in your process.
Modification Type:MinorLast Reviewed:6/13/2006
Keywords:kbinfo KB262054
©2004 Microsoft Corporation. All rights reserved.