Admin access to users mailbox when logged on as admin from Workstation

Admin access to users mailbox when logged on as admin from Workstation

Post by Marty Wamsle » Thu, 27 Aug 1998 04:00:00



I can't seem to figure how to set admin rights to a users mailbox folders,
etc when I'm logged onto their workstation as an admin.

Otherwise I have to know each users logon name and password and logon as
them to make changes to their setup etc.

Access to mailbox resources for an Admin should be set right out of the box.

We use Exchange 5.5

Thanx
Marty Wamsley
IT Solutions

 
 
 

Admin access to users mailbox when logged on as admin from Workstation

Post by Manuel » Fri, 28 Aug 1998 04:00:00


The Exchange Service account has "mailbox owner" status - so you should be
able to open the mailboxes...



Quote:> I can't seem to figure how to set admin rights to a users mailbox
folders,
> etc when I'm logged onto their workstation as an admin.

> Otherwise I have to know each users logon name and password and logon as
> them to make changes to their setup etc.

> Access to mailbox resources for an Admin should be set right out of the
box.

> We use Exchange 5.5

> Thanx
> Marty Wamsley
> IT Solutions


 
 
 

Admin access to users mailbox when logged on as admin from Workstation

Post by Anthon » Fri, 28 Aug 1998 04:00:00



Quote:>I can't seem to figure how to set admin rights to a users mailbox folders,
>etc when I'm logged onto their workstation as an admin.

By default, nobody has the ability to change the rights on a user's mailbox
folders except the user himself.  Thus, you must log on under his user name
in order to change the rights.

Quote:>Otherwise I have to know each users logon name and password and logon as
>them to make changes to their setup etc.

Yes.  This is by design.

Quote:>Access to mailbox resources for an Admin should be set right out of the

box.

No.  Exchange is a secure system, and this being so, administrators are not
given rights for which they have no legitimate need.

--
Anthony

 
 
 

Admin access to users mailbox when logged on as admin from Workstation

Post by Anthon » Fri, 28 Aug 1998 04:00:00



>The Exchange Service account has "mailbox owner" status - so you should be
>able to open the mailboxes...

The service account is not intended for use by administrators.

--
Anthony

 
 
 

Admin access to users mailbox when logged on as admin from Workstation

Post by Marty Wamsle » Sat, 29 Aug 1998 04:00:00



>>Access to mailbox resources for an Admin should be set right out of the

box.

Quote:>No.  Exchange is a secure system, and this being so, administrators are not

given rights for which they have no legitimate need.

I'm sorry to differ with you but I can think of several reasons besides the
fact that the true admin normally has full access to a a networks entire
reaources so he can do his job.

We originally created Peronal Folders in outlook on each workstation as a
.pst file that resided on each users hard drive before we installed Exchange
Server.   After we installed ES we wanted to Export/Import all of the
Contacts, Mail folders etc. to the newly created Mailbox resource that was
now on the Server.  To accomplish this otherwise we would have had to logon
onto each of some 100 users with their Logon and Password to make these
changes   "After Hours".

If we did it this way we would have had to get their passwords anyway and we
would have access to everything in their mailbox anyway.  Where's the logis
there.  Don't you think that it's a little more logical to give Admin access
to all users mailbox resources then we can log onto each workstation as an
admin without having to carry a list of 100 users Logons and Passwords???

I don't know too many admins that don't have "GOD" rights to their own
networks so they are able to do their job in the most effecient way
possible.

Is it just that you feel that the admin has "No Legitimate Need" to
potentially read a users private mail??  Personally I'm trying to get my job
done and get on to something else on my list.  I really don't care what's in
their mailboxes...

Marty

 
 
 

Admin access to users mailbox when logged on as admin from Workstation

Post by Anthon » Sat, 29 Aug 1998 04:00:00



>I'm sorry to differ with you but I can think of several reasons besides the
>fact that the true admin normally has full access to a a networks entire
>reaources so he can do his job.

I can think of several reasons why he shouldn't, and organizations like the
Department of Defense and the National Security Agency agree with me.  The
principle of a "need to know" justifying access to any resource applies to
administrators just as it applies to everyone else.  No administrator should
have any access to any resource beyond that required by his immediate
responsibilities.  Furthermore, any access he gains to any resource must be
independently audited, with respect to both its existence and its use.

There is no legitimate reason for an administrator to have access to
everyone's mailbox by default.  This being so, Exchange Server is designed
to deny administrators access to any mailboxes other than their own, by
default.  The product is designed to be very secure unless an organization
deliberately chooses to dilute that security.

Quote:>We originally created Peronal Folders in outlook on each workstation as a
>.pst file that resided on each users hard drive before we installed
Exchange
>Server.   After we installed ES we wanted to Export/Import all of the
>Contacts, Mail folders etc. to the newly created Mailbox resource that was
>now on the Server.  To accomplish this otherwise we would have had to logon
>onto each of some 100 users with their Logon and Password to make these
>changes   "After Hours".

The life of an administrator can be difficult.  With authority comes
responsibility, and it isn't always fun.

Quote:>If we did it this way we would have had to get their passwords anyway and
we
>would have access to everything in their mailbox anyway.

Have them do it themselves.  Or, better yet, let them decide for themselves.

Quote:>Where's the logis there.

What logic requires you to move everything to the server?  And why can't you
simply tell your users how do to it, rather than do it for them?  All it
requires is a drag-and-drop.

Quote:>Don't you think that it's a little more logical to give Admin access
>to all users mailbox resources then we can log onto each workstation as an
>admin without having to carry a list of 100 users Logons and Passwords???

No.  It's a security breach, and such a breach is not justified just for
this, IMO.

Quote:>I don't know too many admins that don't have "GOD" rights to their own
>networks so they are able to do their job in the most effecient way
>possible.

A lot of administrators don't know what they are doing, or lack the
experience that will eventually teach them why they should not have
unlimited access to everything.  Some administrators are also naturally
nosey, or control freaks.

In any case, I was an administrator for years, and I learned my lessons.
Even today, on my own machines, I often do not run under administrator
accounts.  It's safer that way.

Quote:>Is it just that you feel that the admin has "No Legitimate Need" to
>potentially read a users private mail??

That's part of it.  Professional ethics.

Quote:>Personally I'm trying to get my job done and get on to
>something else on my list.

Then spend the time writing a very clear guide on how to move the mailbox
contents (if they really must be moved) and distribute that to your users.
You need then only cover cases in which they mess things up, instead of
every single workstation.  If they ask why you don't do it for them, explain
that their privacy outweighs the convenience.

--
Anthony

 
 
 

Admin access to users mailbox when logged on as admin from Workstation

Post by Curt Verwol » Sun, 30 Aug 1998 04:00:00


YES...It's called the Service Account...This will allow you to log onto
Anybody's Mailbox....Maybe not there local Workstation, but through NT this
can be done...

Please see the following KBs:
http://support.microsoft.com/support/kb/articles/q147/3/54.asp

http://support.microsoft.com/support/kb/articles/q182/9/00.asp

Hope this helps,

Curt Verwolf

MCSE



>>>Access to mailbox resources for an Admin should be set right out of the
>box.

>>No.  Exchange is a secure system, and this being so, administrators are
not
>given rights for which they have no legitimate need.

>I'm sorry to differ with you but I can think of several reasons besides the
>fact that the true admin normally has full access to a a networks entire
>reaources so he can do his job.

>We originally created Peronal Folders in outlook on each workstation as a
>.pst file that resided on each users hard drive before we installed
Exchange
>Server.   After we installed ES we wanted to Export/Import all of the
>Contacts, Mail folders etc. to the newly created Mailbox resource that was
>now on the Server.  To accomplish this otherwise we would have had to logon
>onto each of some 100 users with their Logon and Password to make these
>changes   "After Hours".

>If we did it this way we would have had to get their passwords anyway and
we
>would have access to everything in their mailbox anyway.  Where's the logis
>there.  Don't you think that it's a little more logical to give Admin
access
>to all users mailbox resources then we can log onto each workstation as an
>admin without having to carry a list of 100 users Logons and Passwords???

>I don't know too many admins that don't have "GOD" rights to their own
>networks so they are able to do their job in the most effecient way
>possible.

>Is it just that you feel that the admin has "No Legitimate Need" to
>potentially read a users private mail??  Personally I'm trying to get my
job
>done and get on to something else on my list.  I really don't care what's
in
>their mailboxes...

>Marty

 
 
 

Admin access to users mailbox when logged on as admin from Workstation

Post by Steve Snitil » Thu, 03 Sep 1998 04:00:00



> I can't seem to figure how to set admin rights to a users mailbox folders,
> etc when I'm logged onto their workstation as an admin.

> Otherwise I have to know each users logon name and password and logon as
> them to make changes to their setup etc.

> Access to mailbox resources for an Admin should be set right out of the box.

> We use Exchange 5.5

> Thanx
> Marty Wamsley
> IT Solutions

In Exchange Admin goto the properties of the mailbox select the
permissions tab and add your NT account with user permissions to the
mailbox.

steve

 
 
 

1. Logging admin access to user mailbox?

I am one of several people who have domain admin rights on our domain
here at work and that includes one individual not in the IT department
(CEO's decision).  We suspect that this user is giving himself rights
to read other people's mail and then removing himself when he is done.
 I have searched like crazy to find some way to create a paper trail
of this so we can show it to our CEO but I haven't been able to find
anything?

We are running Exchange 2000 in Win2K server with AD.

Any help at all would be appreciated.

Thanks,
Larry
mariner[nine][seven][one][one][four] at comcast dot net

(replace bracketed words with equivalent digits)

2. Store.exe crash 3-4 times a day (Exchange 5)

3. Accessing any calendar via CDO logging on as an Admin user

4. sharing contacts

5. NEWBIE Question: IMC Crashing Server. Need Input.

6. Help ! Urgent ..can not open Exchange 5.5 user properties page after upgrade to window 2000 server

7. Setup admin exchange access at Winnt workstation

8. Admin from NT workstation with differnet user

9. Admin access to users mailboxes?

10. Can't open user's mailboxes even tho I have inherited admin access