Announcement

Collapse
No announcement yet.

How to prevent users (including domain admins) from accessing other mailboxes?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to prevent users (including domain admins) from accessing other mailboxes?

    I just came across a major security issue where some of our domain admins are able to access the mailbox for any of our users via Outlook. Is there a way to prevent that so they are only able to access a user's mailbox via the Exchange Server rather than through Outlook? Any help would be greatly appreciated.

  • #2
    Re: How to prevent users (including domain admins) from accessing other mailboxes?

    Whhhaaaaaat?!?!?!

    How are your Domain Admins meant to provide support to users of your network services if they do not have full access?

    As an Exchange Administrator, to be able to log into a user's mailbox and SEE the problem THEY are seeing is absolutely INVALUABLE. You will be cutting off their right arm.

    Do you SERIOUSLY THINK that allowing your internal (or outsourced) IT staff to do this is a SECURITY RISK?! If so, then please immediately fire them all and hire a team you can trust implicitly.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: How to prevent users (including domain admins) from accessing other mailboxes?

      You cannot access a mailbox "via the exchange server" -- you need to use some client, typically Outlook or OWA.

      What version of Exchange are you using?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: How to prevent users (including domain admins) from accessing other mailboxes?

        Originally posted by Stonelaughter View Post
        Whhhaaaaaat?!?!?!

        How are your Domain Admins meant to provide support to users of your network services if they do not have full access?

        As an Exchange Administrator, to be able to log into a user's mailbox and SEE the problem THEY are seeing is absolutely INVALUABLE. You will be cutting off their right arm.

        Do you SERIOUSLY THINK that allowing your internal (or outsourced) IT staff to do this is a SECURITY RISK?! If so, then please immediately fire them all and hire a team you can trust implicitly.
        Yes, absolutely! And anyway, even if you did lock Admins out, they could easily change a user's password and login as that user... so perhaps you need to examine who is an Admin and whether or not you trust them, which is Stonelaughter's point. Fix the cause, not the symptom.
        Best wishes,
        PaulH.
        MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

        Comment


        • #5
          Re: How to prevent users (including domain admins) from accessing other mailboxes?

          I have full unrestricted access to every mailbox in the domain where i work.

          As the Domain admin i need this function to allow me to correctly diagnose issues.

          As has been previously said it is all down to trust. If you don't trust your admin you are in for a shock. These people need to have this access to your domain to allow them to work correctly.

          Abusing this trust is another matter. I for one would never, without express permission from the user, access a mailbox. I even ask them to send me an email asking for me to do it.

          If you don't trust em bin em

          Comment

          Working...
          X