An account with the "Exchange View-Only Administrator" permission can review user mailbox contents by using an administrative application in Exchange Server 2007

Article translations Article translations
Article ID: 959748 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

In an Exchange Server 2007 environment, a domain user account can be given "Exchange View-Only Administrator" permission by using the Exchange Administration Delegation Wizard at the organization level. You expect that the account that has the "Exchange View-Only Administrator" permission can view the Exchange configuration only. However, the account can read the contents of any message in a mailbox store in the organization. For example, the account that has the "Exchange View-Only Administrator" permission can access the contents of the other users' mailboxes by using the Public Folder Distributed Authoring (PFDavAdmin) tool or the Versioning (DAV)-based administration tool.

RESOLUTION

A feature is now included with Update Rollup 8 for Exchange 2007 Service Pack 1 to change this behaviour.

For more information about Update Rollup 8 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic:
Description of Update Rollup 8 for Exchange Server 2007 Service Pack 1
For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:
How to Obtain the Latest Service Pack or Update Rollup for Exchange 2007
Warning You should test the change before you install the hotfix and implement the change because it may affect some third-party applications that access Exchange data by using the administrative logon and the "Exchange View-Only Administrator" permission.

After you install the hotfix, you have to create the Restrict View-Only Administrator Access Right registry entry on the Exchange server for this hotfix to work. If you do not create this registry entry, or if the registry setting is set to zero, accounts that have the "Exchange View-Only Administrator" permission can still access mailbox contents in a mailbox store. To set the registry entry, follow these steps:
  1. Click Start, click Run, type Regedit, and then click OK.
  2. Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. In the details pane, type Restrict View Only Administrator Access Right, and then press ENTER.
  5. Right-click Restrict View Only Administrator Access Right, and then click Modify.
  6. In the Edit DWORD Value dialog box, click Decimal under Base.
  7. In the Value data box, type 1, and then click OK.
  8. Close Registry Editor.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
959745 An Exchange View-Only Administrator can review user mailbox contents by using an administrative application

For more information about Exchange 2007 permissions, visit the following Web site:
http://technet.microsoft.com/en-us/library/bb310792.aspx
For more information about the Exchange access control process, visit the following Web site:
http://technet.microsoft.com/en-us/library/bb123461(EXCHG.65).aspx
For more information about accessing Exchange objects, visit the following Web site:
http://technet.microsoft.com/en-us/library/aa996278(EXCHG.65).aspx

Properties

Article ID: 959748 - Last Review: May 19, 2009 - Revision: 1.1
APPLIES TO
  • Microsoft Exchange Server 2007 Service Pack 1, when used with:
    • Microsoft Exchange Server 2007 Enterprise Edition
    • Microsoft Exchange Server 2007 Standard Edition
Keywords: 
kbhotfixrollup kbexpertiseadvanced kbqfe KB959748

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com