Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

   

Subscribe to OutlookExchange
What's New
Columnist
Anderson Patricio
Ann Mc Donough
Bob Spurzem
Brian Veal
Catherine Creary
Cherry Beado
Colin Janssen
Collins Timothy Mutesaria
Drew Nicholson
Fred Volking
Glen Scales
Goran Husman
Guy Thomas
Henrik Walther
Jason Sherry
Jayme Bowers
John Young
Joyce Tang
Justin Braun
Konstantin Zheludev
Kristina Waters
Kuang Zhang
Mahmoud Magdy
Martin Tuip
Michael Dong
Michele Deo
Mitch Tulloch
Nicolas Blank
Pavel Nagaev
Ragnar Harper
Ricardo Silva
Richard Wakeman
Russ Iuliano
Santhosh Hanumanthappa
Steve Bryant
Steve Craig
Todd Walker
Tracey J. Rosenblath
Development
More Resources
Software
Other Links
 
   

How to get access to all mailboxes in Exchange 2000 Server
 

With Exchange 5.5, this was simple because we had a service account. We simply logged in with the service account or used the credentials to gain access.  This was most helpful when we were restoring a mailbox or otherwise capturing data in a lab or temporary restore server.

SOAPBOX WARNING: I feel the need to preach a little here, so skip the next two paragraphs if you want. I am sure that I do not need to tell you guys how important it is that we not abuse our power in respect to our access to messaging servers. When we create super accounts, it makes it that much easier for someone else to abuse the system. It also makes it fairly easy for us to accidentally wipe out great amounts of data. I wasn't even sure if I should post this (or repost actually since most of the steps are already published in Q262054) because "super" access is only required in a few remote instances.

The Active Directory and Exchange 2000 now provide the ability to distribute the administrative responsibilities among different groups. We can easily give Exchange Administrators control over some systems and deny or grant certain folks with Active Directory permissions to certain Exchange settings. By handing out certain keys to certain groups of people, we can further protect our system from accidental or malicious attacks from internal systems personnel. For example, it is not always appropriate for the Domain Administrators to be able to manipulate the Exchange stores or systems, and visa-versa.

By default, Exchange Domain Servers (and Exchange services) is given full permissions of each mailbox servers in the domain. To see this setting, open the Active Directory Users and Computers MMC console that Exchange installed and click View and Advanced Features. Next, navigate to an Exchange user in the domain and select the Exchange Advanced tab on the users' properties window. Now select Mailbox Rights. While you are here, select the Domain Admins and Enterprise Admins and notice that they have both been given Deny access to Full Mailbox access. what this means is that if you are a member of both the Exchange Domain Servers and one of the Admin groups, you will not have access to the other mailboxes. If you are not a member the Enterprise or Domain admin groups and are in the Exchange Domain Servers group, then you will have access.

Be patient when you add someone to this group. In my lab, the account did not have immediate access. Remember that the domain controllers have to replicate changes. In my case, I rebooted the Exchange server which is also the DC and Global Catalog Server. Only after that reboot was the select account able to open all mailboxes in the domain.

For additional information, see the Microsoft support article at: http://support.microsoft.com/support/kb/articles/Q262/0/54.ASP
 

How to get access to all mailboxes in Exchange 2000 Server
 

Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Copyright Stephen Bryant 2008