Re: other people's mailbox
- From: Andy David - MVP <adavid@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 31 Mar 2006 15:50:23 -0500
On Fri, 31 Mar 2006 11:55:10 -0800, oz@xxxxxxxxxxxxxxxxx
<oz@xxxxxxxxxxxxxxxxx> wrote:
I don?t agree with not having access to user?s mailboxes as an Exchange admin
in large environments.
It is impossible to maintain or trouble shoot, exchange related issues
without having full access, unless Exchange admin must go to each office and
interrupt people while they are doing what they need to do.
It is? You rarely if ever need to open another user's mailbox to
troubleshoot except in situations that require immediate action ( Mail
loops etc..) In a large environment, the helpdesk typically will
remotely logon to the user's workstation with the user sitting right
there and walk them through or troubleshoot any issue.
Is a small shop, the admin is probably also the helpdesk and they walk
right over to the desk of the user.
On the other hang, yes it is not a good practice to let Exchange admin to
take a look at CEO e-mail box,
As it was said earlier, by Nuevo event 1016 will be logged on the event
Viewer, but it is not possible to keep track the intension.
Thats the point. A policy that disallows blanket access to the
mailboxes also protects the admins. If a confidential email was leaked
and it sent only to the CEO, guess who they are going to look at?
Everyone who potentially has access. So what prevents the admin from
giving himself full access, viewing the mailbox and then removing that
access? Not much, but crank up logon diags on the store and all of
sudden you get 1016s with 1011 security events and maybe you can track
down which user accessed the mailbox. The event logs will be littered
and Exchange does a lousy job at this, but better than nothing
I can see why
I had been into same arguments, several time,
where I work is impossible to
not let exchange administrator not to have an access, because they can do
almost everything while user is working on his, her PC.
We have created at some place group called access denied and add exchange
admins into that group, and went back to TOP people mail box properties and
add the access denied group and gave denied permissions, while giving the
Exchange admins Full access from top of the ESM.
What? You dont trust the admins?
We can sit here and argue about, how things should implemented, I think it
depend more of the environment, and Employers must trust their Exchange or Ad
administrator,
If there is no trust, they should look into more reliable stuff.
What reliable stuff is that?
And at the>same time Managers should be smart and keep their eyes open,
If such Exchange admin access CEO mail box X times for some reason, while
CEO is not having any problem, there is a problem and need to be addressed.
How would they know?
.
Cheers
Oz
- References:
- other people's mailbox
- From: Stephen Corcoran
- Re: other people's mailbox
- From: Nuevo
- other people's mailbox
- Prev by Date: Re: Remote VPN access to Exchange
- Next by Date: Re: How to setup policy for Exchange/Outlook 2003
- Previous by thread: Re: other people's mailbox
- Next by thread: Re: other people's mailbox
- Index(es):
Relevant Pages
|
