>I'm sorry to differ with you but I can think of several reasons besides the
>fact that the true admin normally has full access to a a networks entire
>reaources so he can do his job.
I can think of several reasons why he shouldn't, and organizations like the
Department of Defense and the National Security Agency agree with me. The
principle of a "need to know" justifying access to any resource applies to
administrators just as it applies to everyone else. No administrator should
have any access to any resource beyond that required by his immediate
responsibilities. Furthermore, any access he gains to any resource must be
independently audited, with respect to both its existence and its use.
There is no legitimate reason for an administrator to have access to
everyone's mailbox by default. This being so, Exchange Server is designed
to deny administrators access to any mailboxes other than their own, by
default. The product is designed to be very secure unless an organization
deliberately chooses to dilute that security.
Quote:>We originally created Peronal Folders in outlook on each workstation as a
>.pst file that resided on each users hard drive before we installed
>Server. After we installed ES we wanted to Export/Import all of the
>Contacts, Mail folders etc. to the newly created Mailbox resource that was
>now on the Server. To accomplish this otherwise we would have had to logon
>onto each of some 100 users with their Logon and Password to make these
>changes "After Hours".
The life of an administrator can be difficult. With authority comes
responsibility, and it isn't always fun.
Quote:>If we did it this way we would have had to get their passwords anyway and
>would have access to everything in their mailbox anyway.
Have them do it themselves. Or, better yet, let them decide for themselves.
Quote:>Where's the logis there.
What logic requires you to move everything to the server? And why can't you
simply tell your users how do to it, rather than do it for them? All it
requires is a drag-and-drop.
Quote:>Don't you think that it's a little more logical to give Admin access
>to all users mailbox resources then we can log onto each workstation as an
>admin without having to carry a list of 100 users Logons and Passwords???
No. It's a security breach, and such a breach is not justified just for
Quote:>I don't know too many admins that don't have "GOD" rights to their own
>networks so they are able to do their job in the most effecient way
A lot of administrators don't know what they are doing, or lack the
experience that will eventually teach them why they should not have
unlimited access to everything. Some administrators are also naturally
nosey, or control freaks.
In any case, I was an administrator for years, and I learned my lessons.
Even today, on my own machines, I often do not run under administrator
accounts. It's safer that way.
Quote:>Is it just that you feel that the admin has "No Legitimate Need" to
>potentially read a users private mail??
That's part of it. Professional ethics.
Quote:>Personally I'm trying to get my job done and get on to
>something else on my list.
Then spend the time writing a very clear guide on how to move the mailbox
contents (if they really must be moved) and distribute that to your users.
You need then only cover cases in which they mess things up, instead of
every single workstation. If they ask why you don't do it for them, explain
that their privacy outweighs the convenience.