Mailbox Permissions for Other User Accounts

[bulkmail]

Hi,

I would like to be able to open any mailbox i want within my site besides using the Exchange admin account. I added myself to all the containers and assined the account service to me. But still, when i try to access another users mailbox i am unable to. main purpose for this is so that i can exmerge mailboxes when people leave without having to log on as the exchange admin as stated earlier. also, some people are not on exchange and i have to set their "out of office" reply.

Thanks,

BM

 

[andyrob]

You need to add yourself into each mailbox, under permissions as a Windows NT Account with permissions - not INHERITED permissions. If you want to change out of office stuff, you then need to configure your Outlook client for the appropriate user - you can add various profiles. Note that some functions are easier to perform via Outlook Web Access - less need to configure.

It sometimes takes a while for the premissions to take effect - I have not got to the botom of why yet.

 

[Marcs41]

Just a remark/thought ...
You give yourself permissions to everyones email, and thus are able to read it, just to avoid having to log on as admin as intended? What is the purpose of being admin if you don't want to use it as it was made to use?

That is one of the sorriest excuses I heard so far.
Ethics dictate you have no business in someone elses mailbox, it falls under the privacy regulations.

And BTW, 'some are not on Exc, but you set their Out of Off.' ?
If they are not on exchange, you got to tell me how you set the OOO on a non-existant user. And why, since they are not on exchange, no-one would mail them.

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[andyrob]

Agree with the comments about non-exchange, but not sure about the 'ethics'. My ethics dictate that the mailbox is corporate property - if you want private mail, get a private mailbox and use it in private time (just like we all do, right ??). Adding individual access, rather than using Exchange Admin rights is a good policy for auditing if there are more than one Administrator. It is also less dangerous !!

 

[Marcs41]

Sorry to correct you there andy, in most coutries email is protected under the privacy laws, unless proff or suspicion of some bad behaviuor would be there.
People 'should' use private mail for private things, but that is not the point.
Where does it say the admin has the right to read CORPORATE mail of everyone?
Good policy is having 1 admin who knows what he/she is doing.

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[andyrob]

Apologies for my ignorance. I guess a lot of this is down to policies, contracts and licenses. Different for different countries, companies and roles. An administrator will obviously have access to any users Emails by virtue of him knowing the exchange admin password and being able to reset the users NT password - is there any way to stop this as an end-user ? - so giving yourself access is not really doing much more than using your understood needs as an administrator. It is at that point that you need to be very careful and adhere to all the clauses in your contract about not forwarding all the directors email redundancy lists, which he should have put in a password-protected attachment, but didn't know how !

Can't agree with you about the use of Exchange Admin or Admin accounts I'm afraid. Having one guru is far too much risk. Unless you are a guru, in which case it is a brilliant idea.

 

[Marcs41]

An end-user cannot stop this, and an admin will always need to have access to correct things. But there is a difference between access for a good reason and just granting fulltime permissions to yourself.

By 1 admin, i do not mean that only 1 person should know the passwords. Ideally yes, but make sure they are also in a off-site safe for management to access in case of ....

At one time at a job, there were 7 (SEVEN) network managers with FULL admin rights on their own account. You cannot believe the things that happened their. 'Accidentelly' delete something etc. , and the server won't stop you as admin!
An admin should NEVER works as admin unless doing maintenance, that is the only safe way.
And yes, I am a guru and a bit on my toes about security and disasters.
An admin, network or mail, should be 'trustworthy' and this does not seen the case here, at least not in my book.
Convenience is no reason to give yourself fulltime full access. It is either lazyness, uncarefulness or sneeky, whichever applies.

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[bulkmail]

Marc,

We want to audit other people potenially using the exchange admin account. I just inhereited the exchange responsiblities and are aware that READING another person's email is unethical. In this company that is grounds for dismissal. I am not that stupid. However, I do not want people to hide behind the exch admin account.
I am going to change the admin pasword eventually, so I will need certian admins to exmerge.

"And BTW, 'some are not on Exc, but you set their Out of Off.' ?"

Sorry I meant Outlook.

Thanks,

BM

 

[bulkmail]

Thanks everyone, but I forgot to mention that I figured out how to do this after I posted this last night. I am not being lazy etc. !AUDIT! I have had a vp report that someone maybe reading his email. I did see the exch admin account being used to access this account. But i can not see who accessed it.

I did not intend to upset anyone with this post. Nor did I expect to have to explain my actions to this extent. I was just asking for info.

BM

 

[Marcs41]

Sorry if I came across a bit hard, but we see lots of posts here used or potentially used for illegal or unethical purposes.
We try to stay clear from that. Don't forget, anyone can read these posts, even non-members and we want this to stay a 'clean' site.

as for your admin account that accesses the boss's mail, turn on soem logging, it will show up in the eventlogs which computername at what time accessed it.

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[bulkmail]

NP Marc,

I understand your point. BTW, just ten minutes ago, I caught him. Not sure what happens next.

Yeah, logging, I will look into that. I saw that but was only able to pull up the mailbox and what user was accessing it.

Thanks,
BM

 

[Marcs41]

O, you got him, good thing, keep us posted!

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[bulkmail]

Unfortunately I can not say what is going to happen. This is kinda unfortunate. But I am sure you can guess corrctly...

Thanks,

BM