Very Computer

I can't seem to figure how to set admin rights to a users mailbox folders,
etc when I'm logged onto their workstation as an admin.

Otherwise I have to know each users logon name and password and logon as
them to make changes to their setup etc.

Access to mailbox resources for an Admin should be set right out of the box.

We use Exchange 5.5

Thanx
Marty Wamsley
IT Solutions

The Exchange Service account has "mailbox owner" status - so you should be
able to open the mailboxes...

Quote:> I can't seem to figure how to set admin rights to a users mailbox
folders,
> etc when I'm logged onto their workstation as an admin.

> Otherwise I have to know each users logon name and password and logon as
> them to make changes to their setup etc.

> Access to mailbox resources for an Admin should be set right out of the
box.

> We use Exchange 5.5

> Thanx
> Marty Wamsley
> IT Solutions

Quote:>I can't seem to figure how to set admin rights to a users mailbox folders,
>etc when I'm logged onto their workstation as an admin.

By default, nobody has the ability to change the rights on a user's mailbox
folders except the user himself.  Thus, you must log on under his user name
in order to change the rights.

Quote:>Otherwise I have to know each users logon name and password and logon as
>them to make changes to their setup etc.

Yes.  This is by design.

Quote:>Access to mailbox resources for an Admin should be set right out of the

box.

No.  Exchange is a secure system, and this being so, administrators are not
given rights for which they have no legitimate need.

--
Anthony

The service account is not intended for use by administrators.

--
Anthony

box.

Quote:>No.  Exchange is a secure system, and this being so, administrators are not

given rights for which they have no legitimate need.

I'm sorry to differ with you but I can think of several reasons besides the
fact that the true admin normally has full access to a a networks entire
reaources so he can do his job.

We originally created Peronal Folders in outlook on each workstation as a
.pst file that resided on each users hard drive before we installed Exchange
Server.   After we installed ES we wanted to Export/Import all of the
Contacts, Mail folders etc. to the newly created Mailbox resource that was
now on the Server.  To accomplish this otherwise we would have had to logon
onto each of some 100 users with their Logon and Password to make these
changes   "After Hours".

If we did it this way we would have had to get their passwords anyway and we
would have access to everything in their mailbox anyway.  Where's the logis
there.  Don't you think that it's a little more logical to give Admin access
to all users mailbox resources then we can log onto each workstation as an
admin without having to carry a list of 100 users Logons and Passwords???

I don't know too many admins that don't have "GOD" rights to their own
networks so they are able to do their job in the most effecient way
possible.

Is it just that you feel that the admin has "No Legitimate Need" to
potentially read a users private mail??  Personally I'm trying to get my job
done and get on to something else on my list.  I really don't care what's in
their mailboxes...

Marty

I can think of several reasons why he shouldn't, and organizations like the
Department of Defense and the National Security Agency agree with me.  The
principle of a "need to know" justifying access to any resource applies to
administrators just as it applies to everyone else.  No administrator should
have any access to any resource beyond that required by his immediate
responsibilities.  Furthermore, any access he gains to any resource must be
independently audited, with respect to both its existence and its use.

There is no legitimate reason for an administrator to have access to
everyone's mailbox by default.  This being so, Exchange Server is designed
to deny administrators access to any mailboxes other than their own, by
default.  The product is designed to be very secure unless an organization
deliberately chooses to dilute that security.

Quote:>We originally created Peronal Folders in outlook on each workstation as a
>.pst file that resided on each users hard drive before we installed
Exchange
>Server.   After we installed ES we wanted to Export/Import all of the
>Contacts, Mail folders etc. to the newly created Mailbox resource that was
>now on the Server.  To accomplish this otherwise we would have had to logon
>onto each of some 100 users with their Logon and Password to make these
>changes   "After Hours".

The life of an administrator can be difficult.  With authority comes
responsibility, and it isn't always fun.

Quote:>If we did it this way we would have had to get their passwords anyway and
we
>would have access to everything in their mailbox anyway.

Have them do it themselves.  Or, better yet, let them decide for themselves.

Quote:>Where's the logis there.

What logic requires you to move everything to the server?  And why can't you
simply tell your users how do to it, rather than do it for them?  All it
requires is a drag-and-drop.

Quote:>Don't you think that it's a little more logical to give Admin access
>to all users mailbox resources then we can log onto each workstation as an
>admin without having to carry a list of 100 users Logons and Passwords???

No.  It's a security breach, and such a breach is not justified just for
this, IMO.

Quote:>I don't know too many admins that don't have "GOD" rights to their own
>networks so they are able to do their job in the most effecient way
>possible.

A lot of administrators don't know what they are doing, or lack the
experience that will eventually teach them why they should not have
unlimited access to everything.  Some administrators are also naturally
nosey, or control freaks.

In any case, I was an administrator for years, and I learned my lessons.
Even today, on my own machines, I often do not run under administrator
accounts.  It's safer that way.

Quote:>Is it just that you feel that the admin has "No Legitimate Need" to
>potentially read a users private mail??

That's part of it.  Professional ethics.

Quote:>Personally I'm trying to get my job done and get on to
>something else on my list.

Then spend the time writing a very clear guide on how to move the mailbox
contents (if they really must be moved) and distribute that to your users.
You need then only cover cases in which they mess things up, instead of
every single workstation.  If they ask why you don't do it for them, explain
that their privacy outweighs the convenience.

--
Anthony

YES...It's called the Service Account...This will allow you to log onto
Anybody's Mailbox....Maybe not there local Workstation, but through NT this
can be done...

Please see the following KBs:
http://support.microsoft.com/support/kb/articles/q147/3/54.asp

http://support.microsoft.com/support/kb/articles/q182/9/00.asp

Hope this helps,

Curt Verwolf

MCSE

In Exchange Admin goto the properties of the mailbox select the
permissions tab and add your NT account with user permissions to the
mailbox.

steve