The best solution I've found to make sure that email admins do not have
access (short of following Kirill's advice to only hire people you trust) is
to use a shared secret password for the exadmin account:
Change the password on the exadmin account with another person from the
appropriate dept (HR, VP, CxO, etc).
The email admin would type the first half of the password and remember
it/share it with others in the IT dept.
The other person would type the second half of the password and remember it.
Change the password in Exchange Admin the same way (admin types first part,
other person types second part) and restart the services.
Before doing this, make sure you have a disaster plan and consider
The other person/people must be willing to show up at 2:00 am in case of
problems and/or troubleshooting the server.
The other person/people must be willing to be there at 2:00 am to install
additional exchange services/software such as the IMS, virus scanners, etc.
The loophole in this is that the email admin could change the password, and
restart services during regular maintenance windows and nobody would notice
it was changed.
On the other hand, you could do what most companies do -- ensure that your
email admins are so busy that they'll never have time to read their own
mail, let alone someone else's mail.
> Let's say I install MS Exchange 5.5 using "exadmin" nt account. By
> "Exadmin" will be granted NT system and Exchange server administrator
> rights. I can log on/ access to any mailboxes in the exchange server
> "Exadmin" account from any PC in the domain.
> For security reason, how can I disallow "Exadmin" (Exchange Server
> Administrator) from able to access others mailboxes?