Re: Mailbox Permissions - Deny Access

The problem is that at some point someone removed the security blocks that
would normally prevent this (so now you also have an auditing problem).

By default, the Domain Admins group has an explicit deny on the Send As and
Receive As rights on the Exchange configuration container in AD. This deny
is inherited by all the containers below including the mailbox stores.

Now, why does your domain admin account have a mailbox at all (making the
assumption that you're logged into a mailbox associated with the admin level
account when doing the Open Other User's Folder). You should be using a
non-privileged account for day-to-day work including email and using a
domain admin account (you-a for example) /only/ for domain admin tasks and
absolutely nothing else (like web browsing).

<sjcoggins@xxxxxxxxx> wrote in message
news:1129686377.528216.142890@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Having read through numerous posts, it seems my request may be the
> opposite to most others:
>
> Exchange 2003: As domain administrator, I am able to "Open Other User's
> Folder" and get their inbox open in my Outlook.
>
> I need to prevent access to mailboxes to anyone other than the owner
> and maybe any other system required entities. We are in the financial
> sector, and are heavily regulated. This goes against our security
> policies.
>
> I can see where I might remove permissions (mailbox
> store>properties>security>, however, I am concerned that by making
> changes I might break something.
>
> Is there some information that lets me know the minimum/maximum
> security permissions that still allow the system to function correctly?
>
> Has anyone else undertaken such an exercise ?
>
> Thanks to anyone that might take an interest in my predicament!
>


.

Relevant Pages

  • Re: LDAP Authentication from Linux
    ... using an LDAP browsing tool and that account, I can browse the whole AD, but I'm hoping that removing the user from Domain Users stops it from doing anything other than LDAP lookups. ... Depending on the security policy set up, you may require the query to be done securely though. ... and if I bind using a Domain Admin account then all is well and I can login. ...
    (microsoft.public.windows.server.sbs)
  • Re: W2k3 - Recover from lost Domain Admin passwords
    ... > the described techniques to change the Domain Admins password (I used the ... > I'm all for security, but this seems like a potential nightmare. ... If you are all for security, then I'd create a domain admin password which is ... Don't use the domain admin account, but create admin accounts which are ...
    (microsoft.public.windows.server.security)
  • Back up: which account do you use to backup Exchange mailboxes ?
    ... I have a domain admin account used to execute the backup agent for Exchange ... account would need rights to access all mailbox and Exchange db. ...
    (microsoft.public.exchange.admin)
  • Re: Exchange Server 2007 admin rights for user mailboxes
    ... OrganizationName is the name of your Exchange organization). ... Expand Administrative Groups, ... you should see the mailbox database object. ... Security tab. ...
    (microsoft.public.exchange.admin)
  • Re: Are Domains True Security Boundaries?
    ... The ONLY true bondary of security is the Forest. ... So if you do not trust a group of "domain admin" who for whatever reason you ... > We feel that adding a second domain and giving untrusted domain admin ...
    (microsoft.public.windows.server.active_directory)