Caution Do not use this procedure in a production environment to allow unauthorized access to user data. Doing so might violate your corporate privacy and security policies. Implement an auditing plan on your network to detect and to record improper use of network administrative credentials by system administrators.
Note In Microsoft Windows 2000 Server and Microsoft Windows Server 2003, services typically run under the account of the computer where they are installed. This account is the local system account (LocalSystem), and its password is created and recycled by Windows 2000 or Windows Server 2003. By default, you can use this service account to gain access to the Exchange mailbox, the public folder stores, and other Windows resources for performing mail transfer and directory synchronization.
If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. All Exchange Server 2003 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail.
You can override this default restriction in several ways, but do so only in accordance with your organization's security and privacy policies. Frequently, overriding the default restriction is appropriate only in a recovery server environment.
To grant your administrative account access through Exchange System Manager to all mailboxes in a single database regardless of inherited denials:
- Start Exchange System Manager, and then locate the database you want to have full mailbox access to.
- Open the properties of this object, and then click the
- Grant your account full explicit permissions on the object, including Receive As permissions.
Deny and Allow permissions assigned to your account. The unavailable permissions indicate that by inheritance you have been denied permission, but that you have inherited permissions at this level. In the Windows permissions model, explicitly granted permissions override inherited permissions. Note that an explicit Allow at a lower level permission overrides an explicit Deny from a higher level permission only on the single object where the override is set, not on that object's child objects. This prevents you from granting yourself permissions on a server to gain access to each database; you must grant permissions on databases individually.
After you change permissions, you may have to log off and log back on. Microsoft also recommends that you stop and restart all Exchange services. If you have multiple domain controllers in the forest, you may also have to wait for directory replication to complete.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 821897 - Last Review: Mar 15, 2008 - Revision: 1