Announcement

Collapse
No announcement yet.

Block Enterprise Admin from Mailbox access

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Block Enterprise Admin from Mailbox access

    We are running SBS 2003 and we believe that one of our Admins is reading other peoples mailboxes.

    If we put him in the domain admin group he is blocked from modifying mailbox permissions but there is nothing to stop him from adding himself to the Enterprise Admins group which then gives him access.

    Is there any way to prevent him from accessing mailboxes?

    The 2 things I can think of but would appreciate confirmation of the viability or if you can suggest another option (he can't be dismissed)

    a. set a group policy so that Enterprise Admins group stays empty (with frequent refresh of policy). The downside is that he will still have access until the refresh.

    b. Set the default settings in Exchange for Enterprise Admins to be disabled from full mailbox access (like domain admins). I don't know if this can break anything.

    There will still be the "Administrator" User that will have full access.

    Thank you for your help

  • #2
    Re: Block Enterprise Admin from Mailbox access

    The only way is to make sure he is not in Domain Admins, Administrators, and Enterprise Admins. You don't want to do the steps you suggested or you will break things.

    If he needs some administrative ability then you can create a custom group and delegate the appropriate permissions to it.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Block Enterprise Admin from Mailbox access

      Remove him from the Exchange Servers group and that should stop him accessing email.

      Comment


      • #4
        Re: Block Enterprise Admin from Mailbox access

        Originally posted by wullieb1 View Post
        Remove him from the Exchange Servers group and that should stop him accessing email.
        But if he's a member of Domain Admins he can just grant himself the rights or add himself back.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Block Enterprise Admin from Mailbox access

          Yep your correct.

          The thing that strikes me about this is that it really should be a HR issue and a reprimand.

          If this user is abusing his rights then they should be removed from him/her.

          Comment


          • #6
            Re: Block Enterprise Admin from Mailbox access

            If he does this without users permissions (for example during troubleshooting) then he shouldn't be an administrator in the first place.
            An Administrator should be a trusted person due to his permissions and rights.

            I concur with wullieb1 that this is an HR case.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Block Enterprise Admin from Mailbox access

              Thank you all for your replies.

              I've been away so not able to respond sooner.

              Unfortunately we can't do anything to him or his access, and management have asked me to find a way to block the email reading access.

              The IT dept is always expected to find solutions instead of the right thing, (kicking the guy where it hurts)

              I'll pass your comments on.

              Thanks

              Comment


              • #8
                Re: Block Enterprise Admin from Mailbox access

                Yeah, management is like that. Just outline for them how this person can do his job effectively without being a Domain Admin, since there really isn't a way to restrict a DA from doing anything other than to remove them from that group. Also, you'll need to emphasize the dangers of playing around with built-in groups.

                Comment

                Working...
                X