Regain service-account access to user mailboxes

Exchange 5.5, by default, allows the administrator to access the mailboxes of users to read or delete emails freely via the Service Account Admin privilege. Exchange administrators sometimes take this out-of-the-box behavior for granted, and then they're surprised to find that they can no longer do this when they upgrade from 5.5 to 2000. In Exchange 2000, service-account access to user mailboxes is turned off by default as a security precaution.

The most common way for administrators to bump into this problem is to build a new server to replace an old one then attempt to move mailboxes between servers manually. Unfortunately, that generates an error stating that the admin does not have sufficient privileges to do this.

The easy way to allow access to all mailboxes through the Service Account is to add the account in question to the Exchange Services or Exchange Domain Server group. However, this only works if you are not the Administrator or a member of the Domain Admins or Enterprise Admins groups.

Another method is to grant Windows (i.e., system) admins rights to all mailboxes in the entire Exchange organization. This can be done by simply changing the permissions on the organization object at the top of the Exchange System Manager tree for that account, or for the group it belongs to. Normally, the rights of administrators on the organization object are explicitly denied through the Receive As and Send As rights, so to provide access, clear these denials. (Note that if the account belongs to an administrator group that is still being denied access to that object, the group-level denial takes precedence.)

To change the permissions, you will need to force the Security tab to appear on all objects in the Exchange management console. Open the Registry and edit the key HKEY_CURRENT_USERSoftwareMicrosoftExchangeExAdmin, and add a DWORD value named ShowSecurityPage. Set it to 1; Exchange does not need to be restarted for this to take effect, but you may need to close and open the management console to see the Security tabs.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators -- please share your thoughts as well!

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Server Administration Tips Microsoft Exchange Server mailbox recovery using database portability Plan an Exchange 2007 standby continuous replication (SCR) deployment Set up messaging records management (MRM) in Exchange Server 2007 How Microsoft's new support policy for virtualized Exchange will affect you Why too much memory can hurt Exchange Server 2007 performance Microsoft Exchange Server backup method pros and cons Migrating .PST files to an Exchange Server information store Virtualizing Exchange Server 2007 with Microsoft's Hyper-V Configure SMTP connection limits in Exchange Server 2003 and SBS Five Microsoft Exchange Server backup worst practices Microsoft Exchange Server Mailbox Management How to verify Exchange Server email forwarding Use the Exchange Management Shell Set command to block senders Uncovering Microsoft Outlook 2007's hidden diagnostic tools How to keep a copy of migrated Exchange mailboxes on original server Monitor mail flow with the Exchange Server 2007 Queue Viewer tool Migrating resource mailboxes from Exchange 2003 to Exchange 2007 Methods for moving mailboxes and public folders to Exchange 2007 Email archiving and retention with Exchange 2007 managed folders Install the Outlook Connector to use Hotmail in Microsoft Outlook Reconfigure an existing Exchange Server user account for a new user Microsoft Exchange 2000 Server Error 1053: Exchange System Attendant service could not start Solve server problems with the Exchange Troubleshooting Assistant tool Move mailboxes to Exchange 2007 after Windows upgrade Third-party tools that modify NDRs for oversized email IP address changes for an Exchange 2000 recovery server Exchange Server 2003 tips and tricks -- 7 tips in 7 minutes How to enable Exchange Server public folder logging Deciphering an 0xc103798a Exchange Server setup error code Exchange Server error message: 'A non-delivery report with a status code of 5.4.0 was generated for recipient' New Exchange Server installation not receiving SMTP or POP3 email Microsoft Exchange 2000 Server Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary messaging server  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.