Regain service-account access to user mailboxes

Exchange 5.5, by default, allows the administrator to access the mailboxes of users to read or delete emails freely via the Service Account Admin privilege. Exchange administrators sometimes take this out-of-the-box behavior for granted, and then they're surprised to find that they can no longer do this when they upgrade from 5.5 to 2000. In Exchange 2000, service-account access to user mailboxes is turned off by default as a security precaution.

The most common way for administrators to bump into this problem is to build a new server to replace an old one then attempt to move mailboxes between servers manually. Unfortunately, that generates an error stating that the admin does not have sufficient privileges to do this.

The easy way to allow access to all mailboxes through the Service Account is to add the account in question to the Exchange Services or Exchange Domain Server group. However, this only works if you are not the Administrator or a member of the Domain Admins or Enterprise Admins groups.

Another method is to grant Windows (i.e., system) admins rights to all mailboxes in the entire Exchange organization. This can be done by simply changing the permissions on the organization object at the top of the Exchange System Manager tree for that account, or for the group it belongs to. Normally, the rights of administrators on the organization object are explicitly denied through the Receive As and Send As rights, so to provide access, clear these denials. (Note that if the account belongs to an administrator group that is still being denied access to that object, the group-level denial takes precedence.)

To change the permissions, you will need to force the Security tab to appear on all objects in the Exchange management console. Open the Registry and edit the key HKEY_CURRENT_USERSoftwareMicrosoftExchangeExAdmin, and add a DWORD value named ShowSecurityPage. Set it to 1; Exchange does not need to be restarted for this to take effect, but you may need to close and open the management console to see the Security tabs.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators -- please share your thoughts as well!

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Server Administration Tips Remove Exchange 2003 objects from AD to install Exchange 2010 Don'ts for optimal Exchange 2007 mailbox server efficiency Is your Exchange 2007 hub transport server healthy? Avoid Outlook 2007 performance issues during repairs Developing an Exchange 2007 server role DR plan How DSAccess service improves Exchange Server 2007 reliability An introduction to the Exchange Remote Connectivity Analyzer tool Monitor Exchange 2007 with disk- and RPC-related counters DPM 2007 replica inconsistencies in Exchange databases Track Exchange 2007 mailbox server health using database counters Microsoft Exchange Server Mailbox Management Show hidden email addresses in a GAL on Exchange Server 2003 Industry expert analyzes future of messaging Delivering email between Exchange server test and production domains Microsoft Outlook error message: 'Mailbox Size Limit exceeded' Restoring user accounts and mailbox links in Active Directory Problems receiving email from outside a Exchange Server 2003 domain Best practices for moving mailboxes in Exchange Server Exchange admins: Is it time to rethink your email address policy? Exchange Server 2003 collects email from only specific POP3 domains Troubleshoot 'System Attendant' error messages in OWA Microsoft Exchange Server Permissions Exchange users receiving email addressed to legacy users Restrict access to Outlook Web Access via Exchange System Manager Why you should secure Exchange 2007 using administrative policies Editing Exchange Server public folder permissions Can't delete old Microsoft Outlook public folders Why can't I grant users permissions to an Exchange public folder? Exchange public folder calendar can't be opened in Microsoft Outlook Grant or deny permissions to access a user's Exchange 2007 mailbox Set Outlook calendar permissions for group to view private meetings Exchange Admin 101: Exchange 2003 and Exchange 2007 admin privileges RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bounce email  (SearchExchange.com) messaging server  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.