Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

OWA 5.5 - Why can Domain Admins can open any mailbox?!

Status
Not open for further replies.

zaresa

IS-IT--Management
Apr 9, 2002
72
US
Recently installed OWA 5.5 on a W2K server (my Exchange is on a seperate NT 4.0 machine) and I am in the process of testing it.

I noticed that Domain Admins can open any mailbox simply by choosing a different alias at the logon screen. This is true even if the Domain Admin is not given permission to the mailbox on Exchange.

Is this normal functionality? Is there a way I can change this via permissions on the OWA server? Although I am the NetAdmin, I've had to give a couple of non-technical managers Domain Admin rights just in case I drop dead. I would be very uncomfortable with these people having this kind of right.

Conversely, users that HAVE be given permissions to other user email accounts CANNOT open these mailboxes. Any help would be greatly appreciated.
 
Correction to above...it looks like it is all Exhange Service Accounts (which also happen to be Domain Admins)that have these rights. Once again, is there a way that I can limit access to mailboxes as per the permissions on the Exchange server.

Thanks again,
 
Eight....two are for me and the other Admin. Three are for non-technical company managers who need these accounts "just in case" (although they have gone in at times and tinkered with things). Three are for service accounts that require DA rights to run the applications.

My concern is that if these managers figure out that they can open any mailbox they will abuse this. If the functionality only applies to Exchange service accounts then the number drops down to approx. 5 users...still 2 more than I am comfortable with.
 
I would almost create a second domain admin group and set them up with the permissions they need and nothing more. Or I would give each use the permissions that they need and not let them have the administrator account. Craig

 
Sure, if you go to File/Properties in Exchange Administrator you can click on the permissions tab you can set their access level there.
 
Thanks everyone...I figured it out by process of elimination. Giving the user permissions w/i the Configuration container on Exchange is where this right comes from. It is not related to DA rights at all.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top