Windows – Administrator can access all mailboxes – how can I stop it

exchangeexchange-2013windowswindows-server-2012

At our organisation the DOMAIN\Administrator account can access all mailboxes i.e. log in to Outlook Web Access as DOMAIN\Administrator and then open another mailbox and that users mailbox appears.

I have no idea why this was done, I'm suspicious but that's not my problem, I don't want to be responsible for such so want to remove this permission.

Is it possible to search through all mailboxes and remove any access that DOMAIN\Administrator has (whether that be Full Access, Send As or Send on Behalf)?

We're running 4 Windows Server 2012 servers with Microsoft Exchange 2013.

Best Answer

This is probably a result of DOMAIN\Administrator being a member of the Organization Management group. From the description of that group:

Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This role group shouldn't be deleted.

Or from Technet:

Administrators who are members of the Organization Management role group have administrative access to the entire Exchange 2013 organization and can perform almost any task against any Exchange 2013 object, with some exceptions. By default, members of this role group can't perform mailbox searches and management of unscoped top-level management roles.

This is basically the group in Exchange that is like the Domain Admins group in Active Directory - members have administrative privileges in Exchange, which includes the ability to log into any mailbox (by default). You could, of course, remove DOMAIN\Administrator from that group, but anyone with modify privileges on that group (like domain admins) can trivially add that user, or any other, back into it.

In the unlikely event that the DOMAIN\Administrator user is explicitly defined as having permissions to each mailbox, you could use a PowerShell script to remove it, but you'd have the same problem - that user, and anyone with modify privileges on the Organization Management group can trivially add that user, or any other, back into it.

Bottom line, administrators have (or can easily give themselves) permissions to do whatever they want. It's the nature of an administrative account, and there's really no getting around it.

Related Solutions

Mailbox permissions in Exchange 2007 driving me nuts

I'm going to make a guess that you're not using security groups to manage the permissions on these mailboxes. I'd recommend, before you do anything else, that you create a security group for each logical grouping of users who need special permission on each mailbox, place the appropriate users into those groups, and grant permission using the groups.

(Beware-- the users' security token may be cached by the Exchange Server computer and it might not see the update group membership immediately. Depending on your environment it could take up to 2 hours in a stock configuration for the server to "see" the change. More details at http://theessentialexchange.com/blogs/michael/archive/2008/01/18/Exchange-Server-Caches.aspx if you want to know more about what I mean.)

By doing this with a group you eliminate the need to modify the permissions in the future if job roles change, etc, for the people involved. You need only specify the right group memberships for new users, changed job roles, etc, and the permissions "just work".

Using the Exchange Management Shell, grant "Full Mailbox Access", "Receive-As", and "Send-As" permission with the following commands:

Add-MailboxPermission "Mailbox Na,e" -User "DOMAIN\Group NAme" -AccessRights FullAccess
Add-ADPermission "Mailbox Name" -User "DOMAIN\Group Name" -ExtendedRights Receive-As,Send-As

Obviously, substitute in the mailbox name and group name where appropriate.

(Users with Full Mailbox Access don't have "Send As" permission-- see http://technet.microsoft.com/en-us/library/dd421860.aspx for details)

Outlook 2010 fails to connect to Exchange 2013

Found it! It was so easy...

This site had the answer.

http://www.msoutlook.info/question/531

Key: HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider 
Value name: DS Server 
Value type: REG_SZ 
Value: FQDN of the GC server

Apparently the global catalog server (I have only one domain controller for the root domain and it is running as it is also the DNS) was missing.

Once I added its name to the "DS Server" value, the connection works!

But why Outlook needs the global catalog server to resolve a DNS name when DNS is working I don't know.

Best Answer

Related Solutions

Mailbox permissions in Exchange 2007 driving me nuts

Outlook 2010 fails to connect to Exchange 2013

Related Topic