Regain service-account access to user mailboxes

Exchange 5.5, by default, allows the administrator to access the mailboxes of users to read or delete emails freely via the Service Account Admin privilege. Exchange administrators sometimes take this out-of-the-box behavior for granted, and then they're surprised to find that they can no longer do this when they upgrade from 5.5 to 2000. In Exchange 2000, service-account access to user mailboxes is turned off by default as a security precaution.

The most common way for administrators to bump into this problem is to build a new server to replace an old one then attempt to move mailboxes between servers manually. Unfortunately, that generates an error stating that the admin does not have sufficient privileges to do this.

The easy way to allow access to all mailboxes through the Service Account is to add the account in question to the Exchange Services or Exchange Domain Server group. However, this only works if you are not the Administrator or a member of the Domain Admins or Enterprise Admins groups.

Another method is to grant Windows (i.e., system) admins rights to all mailboxes in the entire Exchange organization. This can be done by

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Exchange Server Administration Tips Fixing DPM 2007 inconsistent replica errors in Exchange Server Using Mobile Device Manager 2008 server roles in Exchange 2007 An introduction to the DSAccess service in Exchange Server 2007 Exchange Performance Monitor tracks domain controller communication Exchange Server 2007 SP2 reinstates built-in backup capabilities Three Performance Monitors counters to use in Exchange Server 2007 Scheduling multiple Performance Monitor alerts in Exchange Server 2007 Which ActiveSync authentication method is best for your mobile device? Configure Performance Monitor alerts for Exchange Server 2007 Disable ActiveSync in bulk with Exchange Management Shell commands Microsoft Exchange Server Mailbox Management Troubleshoot 'System Attendant' error messages in OWA Relocating Outlook email messages on a hosted Exchange 2007 server Performing advanced search queries in Microsoft Outlook 2007 Exchange Server 2010 public beta rolls out new features Microsoft Exchange Server email archiving tutorial Using the Export-Mailbox command in Exchange Server 2007 How Windows Desktop Search works in Microsoft Outlook 2007 ExMerge gotchas to watch for when migrating Exchange 2003 mailboxes Migrating mailboxes across domains with the Exchange Management Console When to use Move Mailbox Wizard or ExMerge to move Exchange mailboxes Microsoft Exchange 2000 Server Troubleshooting Outlook calendar errors on a BlackBerry device How to move Exchange 2000 to new server hardware Error 1053: Exchange System Attendant service could not start Solve server problems with the Exchange Troubleshooting Assistant tool Move mailboxes to Exchange 2007 after Windows upgrade Third-party tools that modify NDRs for oversized email IP address changes for an Exchange 2000 recovery server Exchange Server 2003 tips and tricks -- 7 tips in 7 minutes How to enable Exchange Server public folder logging Deciphering an 0xc103798a Exchange Server setup error code Microsoft Exchange 2000 Server Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary messaging server  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

simply changing the permissions on the organization object at the top of the Exchange System Manager tree for that account, or for the group it belongs to. Normally, the rights of administrators on the organization object are explicitly denied through the Receive As and Send As rights, so to provide access, clear these denials. (Note that if the account belongs to an administrator group that is still being denied access to that object, the group-level denial takes precedence.)

To change the permissions, you will need to force the Security tab to appear on all objects in the Exchange management console. Open the Registry and edit the key HKEY_CURRENT_USERSoftwareMicrosoftExchangeExAdmin, and add a DWORD value named ShowSecurityPage. Set it to 1; Exchange does not need to be restarted for this to take effect, but you may need to close and open the management console to see the Security tabs.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators -- please share your thoughts as well!

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.