For a Microsoft Exchange 2000 Server version of this article, see
262054.
This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
MORE INFORMATION
In Microsoft Exchange Server 5.5, when you grant Service
Account Admin access rights on the
Site container to a
Microsoft Windows-based account, you grant that account unrestricted access to
all mailboxes. In Microsoft Exchange 2000 Server and Exchange Server 2003,
there is no service account, and even accounts with Enterprise Administrators
rights are denied rights to gain access to all mailboxes.
Note In Microsoft Windows 2000 Server and Microsoft Windows Server
2003, services typically run under the account of the computer where they are
installed. This account is the local system account (LocalSystem), and its
password is created and recycled by Windows 2000 or Windows Server 2003. By
default, you can use this service account to gain access to the Exchange
mailbox, the public folder stores, and other Windows resources for performing
mail transfer and directory synchronization.
If your logon account is
the Administrator account or is a member of the Domain Admins or Enterprise
Admins groups, then you are explicitly denied access to all mailboxes other
than your own, even if you otherwise have full administrative rights over the
Exchange system. All Exchange Server 2003 administrative tasks can be performed
without having to grant an administrator sufficient rights to read other
people's mail.
You can override this default restriction in several
ways, but do so only in accordance with your organization's security and
privacy policies. Frequently, overriding the default restriction is appropriate only in a
recovery server environment.
To grant your administrative account access through Exchange
System Manager to all mailboxes in a single database regardless of inherited
denials:
- Start Exchange System Manager, and then locate the database
you want to have full mailbox access to.
- Open the properties of this object, and then click the
Security tab.
- Grant your account full explicit permissions on the object,
including Receive As and Send As permissions.
After you have made this change, you may still see unavailable
Deny and
Allow permissions assigned to your
account. The unavailable permissions indicate that by inheritance you have been
denied permission, but that you have inherited permissions at this level. In
the Windows permissions model, explicitly granted permissions override
inherited permissions. Note that an explicit
Allow at a lower
level permission overrides an explicit
Deny from a higher
level permission only on the single object where the override is set,
not on that object's child objects. This prevents you from granting yourself
permissions on a server to gain access to each database; you must grant
permissions on databases individually.
After you change permissions,
you may have to log off and log back on. Microsoft also recommends that you
stop and restart all Exchange services. If you have multiple domain controllers
in the forest, you may also have to wait for directory replication to complete.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
259221
Security tab not available on all objects in System Manager