Article ID: 821897 - View products that this article applies to.
For a Microsoft Exchange 2000 Server version of this article, see 262054
This article discusses how to grant permissions to all mailboxes. Granting access to all mailboxes can be useful when you are completing tasks such as offline recovery.
Caution Do not use this procedure in a production environment to allow unauthorized access to user data. Doing so might violate your corporate privacy and security policies. Implement an auditing plan on your network to detect and to record improper use of network administrative credentials by system administrators.
In Microsoft Exchange Server 5.5, when you grant Service Account Admin access rights on the Site container to a Microsoft Windows-based account, you grant that account unrestricted access to all mailboxes. In Microsoft Exchange 2000 Server and Exchange Server 2003, there is no service account, and even accounts with Enterprise Administrators rights are denied rights to gain access to all mailboxes.
Note In Microsoft Windows 2000 Server and Microsoft Windows Server 2003, services typically run under the account of the computer where they are installed. This account is the local system account (LocalSystem), and its password is created and recycled by Windows 2000 or Windows Server 2003. By default, you can use this service account to gain access to the Exchange mailbox, the public folder stores, and other Windows resources for performing mail transfer and directory synchronization.
If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. All Exchange Server 2003 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail.
You can override this default restriction in several ways, but do so only in accordance with your organization's security and privacy policies. Frequently, overriding the default restriction is appropriate only in a recovery server environment.
To grant your administrative account access through Exchange System Manager to all mailboxes in a single database regardless of inherited denials:
After you change permissions, you may have to log off and log back on. Microsoft also recommends that you stop and restart all Exchange services. If you have multiple domain controllers in the forest, you may also have to wait for directory replication to complete.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/259221/ )Security tab not available on all objects in System Manager
Article ID: 821897 - Last Review: December 3, 2007 - Revision: 7.5