Block Admin Account From OWA Access

[soulestream]

We have a domain administrator account that runs several routines and processes. We are trying to restrict the access of this account, from being able to access mailboxes via OWA.

The account needs to be able to access exchange on servers, so blocking it at the exchange server side isn't working.

I am trying to block it at https:\\

http://www.mydomain.com\exchange.

However, that points to a virtual directory and I don't see where I can set permissions there. With 2003, there is no "M:" drive and I am assuming \\.\BackOfficeStorage points to another virtual location.



Disabling OWA access on its AD account, blocks it from accessing its own mailbox via OWA, but not other users.

Any suggestions would be very appreciated. Everytime we have a IT employee leave, we have to change passwords for 3 days. We have closed all external access for this account, but this one is being a pain.

Thanks

 

[MarkArnold]

Every time an IT person leaves there should be a mass changing of the passwords that the person was privvy to or at least the passwords of those accounts that could be used to gain access from outside the corporate network so I wouldn't want to steer you away from doing anything to negate that necessary work.

Setting up a policy that denied the log on locally right to the account in question onto the Exchange Front Ends is one way. Also denying the account access rights in IIS is another accepted way.

 

[ntinlin]

Presumably you have given full mailbox access rights to all Domain Admin accounts?

Why not just create a Messaging Admin group with anybody you need to have access to the mailboxes, give that full rights and Deny domain admins.

Separation of powers and rights is always a good idea.

Neill