Article ID: 959748 - View products that this article applies to.
In an Exchange Server 2007 environment, a domain user account can be given "Exchange View-Only Administrator" permission by using the Exchange Administration Delegation Wizard at the organization level. You expect that the account that has the "Exchange View-Only Administrator" permission can view the Exchange configuration only. However, the account can read the contents of any message in a mailbox store in the organization. For example, the account that has the "Exchange View-Only Administrator" permission can access the contents of the other users' mailboxes by using the Public Folder Distributed Authoring (PFDavAdmin) tool or the Versioning (DAV)-based administration tool.
A feature is now included with Update Rollup 8 for Exchange 2007 Service Pack 1 to change this behaviour.
For more information about Update Rollup 8 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic:
Description of Update Rollup 8 for Exchange Server 2007 Service Pack 1For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:
How to Obtain the Latest Service Pack or Update Rollup for Exchange 2007Warning You should test the change before you install the hotfix and implement the change because it may affect some third-party applications that access Exchange data by using the administrative logon and the "Exchange View-Only Administrator" permission.
After you install the hotfix, you have to create the Restrict View-Only Administrator Access Right registry entry on the Exchange server for this hotfix to work. If you do not create this registry entry, or if the registry setting is set to zero, accounts that have the "Exchange View-Only Administrator" permission can still access mailbox contents in a mailbox store. To set the registry entry, follow these steps:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/959745/ )An Exchange View-Only Administrator can review user mailbox contents by using an administrative application
For more information about Exchange 2007 permissions, visit the following Web site:
http://technet.microsoft.com/en-us/library/bb310792.aspxFor more information about the Exchange access control process, visit the following Web site:
http://technet.microsoft.com/en-us/library/bb123461(EXCHG.65).aspxFor more information about accessing Exchange objects, visit the following Web site:
Article ID: 959748 - Last Review: May 19, 2009 - Revision: 1.1