At our organisation the DOMAIN\Administrator
account can access all mailboxes i.e. log in to Outlook Web Access as DOMAIN\Administrator
and then open another mailbox and that users mailbox appears.
I have no idea why this was done, I'm suspicious but that's not my problem, I don't want to be responsible for such so want to remove this permission.
Is it possible to search through all mailboxes and remove any access that DOMAIN\Administrator
has (whether that be Full Access, Send As or Send on Behalf)?
We're running 4 Windows Server 2012 servers with Microsoft Exchange 2013.
Best Answer
This is probably a result of
DOMAIN\Administrator
being a member of theOrganization Management
group. From the description of that group:Or from Technet:
This is basically the group in Exchange that is like the Domain Admins group in Active Directory - members have administrative privileges in Exchange, which includes the ability to log into any mailbox (by default). You could, of course, remove
DOMAIN\Administrator
from that group, but anyone with modify privileges on that group (like domain admins) can trivially add that user, or any other, back into it.In the unlikely event that the
DOMAIN\Administrator
user is explicitly defined as having permissions to each mailbox, you could use a PowerShell script to remove it, but you'd have the same problem - that user, and anyone with modify privileges on the Organization Management group can trivially add that user, or any other, back into it.Bottom line, administrators have (or can easily give themselves) permissions to do whatever they want. It's the nature of an administrative account, and there's really no getting around it.