Re: Exchange 2003 Admin w/o ability to gain service acct access & read other users' mail?

From: Jason (Nospam_at_forme.thanks)
Date: 02/04/05

• Next message: IQ: "User with different alias cannot POP email from server??"
• Previous message: Boris Lokhvitsky: ""Send as" works incorrectly"
• In reply to: jeoffwilks_at_gmail.com: "Exchange 2003 Admin w/o ability to gain service acct access & read other users' mail?"
• Messages sorted by: [ date ] [ thread ]

Date: Fri, 4 Feb 2005 12:48:16 -0800

Must give you that warm and fuzzy feeling working for someone that doesnt
trust you, but yet calls you to fix everything. Either you are an admin or
you are not. Yes you can jack with settings all day long to try and narrow
down what an admin has access to and what they can do, but it is much easier
to trust that your admin wont go snooping where they dont belong. You have
to give the keys of the kingdom to someone. My suggestion would be, have
them put in place some type of auditing. Even a third party type of
software that monitors account changes and things of that nature and sends
alerts when changes have been made, but of course that software would need
an admin also. Maybe that will ease their mind. If that doesnt work for
them, I would suggest they go back to pen and papper for communication and
seal each note with a wax copy of their ring.

<jeoffwilks@gmail.com> wrote in message
news:1107545077.758728.305800@o13g2000cwo.googlegroups.com...
> I recently installed/configured an Exchange 2003 server for my
> organization. Upon completion they removed me from the Administrators
> group so that I would not be able to read other users' email.
>
> Although this right is disabled by default, MS has left a couple
> backdoors so admins can grant themselves Service Account access and
> read other users' mailboxes. See:
> http://support.microsoft.com/?id=821897
>
> MS Reasoning appears to be, "Just don't do it" -- which is not enough
> to satisfy my company principals. They are uncomfortable with even the
> possibility that I *could* add service acccount rights and read their
> mail.
>
> I'm still asked quite often to perform admin tasks, but I typically
> have to call in a company principal to login for me, because of the
> email privacy concern they have.
>
> So my question is, can a user be granted Administrator access for
> everything MINUS the ability to grant himself Service Account access
> (and thereby read other users' mail)?
>

• Next message: IQ: "User with different alias cannot POP email from server??"
• Previous message: Boris Lokhvitsky: ""Send as" works incorrectly"
• In reply to: jeoffwilks_at_gmail.com: "Exchange 2003 Admin w/o ability to gain service acct access & read other users' mail?"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint