permissions for admin account on user MBs

permissions for admin account on user MBs

Post by Brian Chares » Wed, 02 Jul 2003 05:34:48

I have an Ex 5.5 SP4 server running on NT4 SP6A and an EX2K SP3 server
running in a W2K AD domain.  I have the ADC installed.  I can open any
mailbox on my 5.5 server as the Ex Admin.  When I move a mailbox from the
5.5 to the Ex2K box I can no longer open it in Outlook.  If I go into ADU&C,
Exchange Advanced tab, Domain Admins and Enterprise Admins have the "Full
Mailbox Access" permission set as Deny.  It is greyed out, implying to me
that this permission is being inherited from above.  If I look at the OU
containing the users, there is no explicit deny on anything, either directly
on the OU tab or if I select the advanced button and look at the more
detailed permissions.   Same thing for the entire domain.    No GP except
the default one on the domain and I don't see anything there either.  In Ex
System Manager I delegated the Full Exchange Administrator right to domain
admins.  So the question is, where is this deny being set and how can I
change it should I decide I want to?  Thanks.



permissions for admin account on user MBs

Post by Leif Pederse » Wed, 02 Jul 2003 06:40:41


It is the default setting in exchange 2000 that administrators can't open
users mailboxes.

This is a security setting.

If you really need to open other users mailboxes you just need the "send as"
and receive as" rights on their mailboxes.

If you perform a search on technet at exmerge and "send as" you should find
the procedures to implement this.



1. permission admin and service account admin.

Then that would have added the "Mailadmin" NT User Account to the
Permssions tab as a "Permissions Admin."

You were prompted to supply the NT User Account to be used as the
Exchange Service Account during the installation. The account you
chose was placed into the Permissions tab with the role of "Service
Account Admin." *AND* stored in the Exchange directory, which is quite
a different thing, as the "service account".

You can assign the ROLE of "Service Account Admin." to anyone, but you
cannot change the service account stored in the directory. The only
way to accomplish that is is to reinstall the Exchange server. [That's
a bit of a lie, but it's the only way you SHOULD change the service

It sounds like you made the common mistake of using the NT User
Account that did the installation to be the service account. If that
was the "Mailadmin" then I'd say assign the role of "Service Account
Admin." to that account on the Organization, site, and Configuration
containers. Then add another NT User Account to the role of
"Permissions Admin." on the same containers. If you want some other
folks to manage the Exchange stuff then give them the role of "Admin."

Put the NT User Accounts into a NT Global Group, then assign whatever
role you want to the Global Group.

Rich Matheisen
MCSE, Exchange MVP
MS Exchange FAQ at

2. HELP - Deleted Admin Rights

3. Administering/viewing user accounts with Admin account

4. notes to exchange

5. Exchange 5.5 (Svc Acct Admin, Admin, Permissions Admin)

6. Problems with DSN between Exchange Sites.

7. Troubleshoot this mailbox's problem?

8. Set account with permissions admin Role on existing site

9. admin account permissions

10. Adding on multiple mailbox an account with permission and Admin role

11. user with permission admin lost