No announcement yet.

default permissions in new exchange 2003 deployment

  • Filter
  • Time
  • Show
Clear All
new posts

  • default permissions in new exchange 2003 deployment

    Hi All,

    Not sure if anyone understands this but we have just setup the first exchange 2003 server in our environment as we are migrating from Domino R7. The thing that is confusing me is that I'm an enterprise admin in our AD forest, and also a domain admin in the current domain but for some reason I have no access to other users mailboxes or anything and it seems my user account has implicit deny on the mail storage group. I am unable to change this and yet I rolled out and setup this exchange server? I've read a few articles on this website related to this problem but I cannot change these permissions as I cannot find the root object from where these permissions are being inherited. I can understand the reasons, in terms of privacy etc. but we are still in a testing phase moving domino .nsf files into exchange mailboxes and I need to see the results of my work. Anyway can anyone help me?

    MCSE 2003 CCNA

  • #2
    Re: default permissions in new exchange 2003 deployment

    Are you an "Exchange Full Admin"
    IIRC you will still need to give yourself permissions to other mailboxes

    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: default permissions in new exchange 2003 deployment

      The behaviour you are seeing is by design.
      You can give yourself all the permissions that you want and you still will not get access to all mailboxes.

      My personal opinion is that an Exchange administrator does not need access to all mailboxes. I don't have that permission on any of the servers that I administrate.

      If I need to access the mailbox I grant myself the permission as required, do what is required and then remove the permission.
      I also have logging enabled high enough to show the permissions changes, so if the accusations start flying about unauthorised access I can show who did and did not have permissions at that time.

      Don't try and change the permissions in Exchange unless you really know what you are doing.

      There is something called service account permission which you can grant an account, but again it isn't something that I recommend as it just isn't needed.

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.


      • #4
        Re: default permissions in new exchange 2003 deployment

        Hi All,

        Thanks for the replies. I thought it was by design, sounds like a great idea in terms of fitting in with policy and procedure. Just a bit of a pain in the testing phase of a Lotus Domino to Exchange migration when you really need to get a good understanding of what migrating mailboxes actually does.


        MCSE CCNA