Question

Locked

Mailbox Rights

By kiranchinnu ·
Hi all,



I have a problem guys, in our systems dept there 5 ppl working and all r put as domain admins.

everyone can open any mailbox as they are adminstrators ,

Is there anyway i can restrict them ??? i want this access to one or 2 guys only as its a security for the company .



Thanks in advance .

Kiran.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Yes

by Wizard-09 In reply to Mailbox Rights

You can do this in AD you can remove the groups or people from access to your mailbox but if they are domain admins they can go back in and add them selfs in.

Collapse -

But

by kiranchinnu In reply to Yes

Hi Mcnally ,
Thank you verymuch for the reply .
Its not they will be accessing only my mailbox they can access all users (appor i have 500 users) , So it will be very time consuming process to take the rights from every user account.

Pls let me know if there is any other way.

Thanks in advance .

Collapse -

Are you saying all 500 can open YOUR mailbox?

by ThumbsUp2 In reply to But

If not, you don't have to change the regular users, just the ones with administrator rights.

But, I question why you would not trust the 4 other people working in your department. If someone has chosen to give them all administrator privileges in Exchange, who are you to decide they shouldn't have that privilege?

Collapse -

Not all 500

by kiranchinnu In reply to Are you saying all 500 ca ...

its not they are opening my mailbox , they can open all 500 mailboxes.

Its not trust ,its Security and confidential information in mailboxes.

And my manager wants this to be with only 2 as if breach happens then we can find out who did it.

Anyway's thx for the reply.

Collapse -

Ok

by Wizard-09 In reply to Not all 500

Well it looks like who every setup this exchange box made a big misake, you need to remove the group administrators from full access or controll of the mail boxes.

Collapse -

Tough spot to be in then.....

by ThumbsUp2 In reply to Not all 500

If I'm not mistaken, you can set the Exchange admin functions so only 2 of you have access to the administration of the mailboxes. However, if all 5 people have domain administrator access, the 3 people you selectively remove from Exchange will have the ability to add themselves back again.

So, I suppose the best thing to do is to ask your manager if he/she wishes to remove domain administrator permission from the 3 people involved. If the manager doesn't have that kind of decision making power, he/she will have to go to her/his supervisor and explain the situation.

.

Collapse -

Info

by Wizard-09 In reply to Mailbox Rights

Ok something to clear up before i start given answers cause i want to be sure i am given you the right one.

Ok can 500 users access any email inbox they like, or is it all 500 users can only access your email inbox?

Collapse -

remove their domain admin membership

by dw_ay In reply to Mailbox Rights

remove membership from domain admin group for 3 or 4 persons and let 1 or 2 person with the highest responsibility in AD and Exchange as Domain Admins. it should be like that in managing enterprise email systems, if another persons need to do couple jobs that relate with AD then give appropriate permissions like account operators, server operators, or the proper delegated rights for specific OUs, or local admin for specific servers, etc. And if the job relates to exchange they can be given the exchange admin view only or exchg admin not exch full admin. If there is an issue that requires domain admin right then another persons should escalate the issue to the person who assigned as domain admin.

Collapse -

That's a tough one...

by kenrwoodson In reply to Mailbox Rights

You can't make them as domain users or other non-admin users because they'll have no way to set permissions and you can't constrain them from making GPO policies, ACLs or setting NTFS permissions because they're admins.

Only solution is to watch their activity on event logs, I suppose

Maybe if you yourself are an enterprise admin...
That's a tough one...

Back to Software Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums