This article was previously published under Q303709
This article has been archived. It is offered "as is" and will no longer be updated.
If users are members of the local Administrators group on the Exchange Server computer that their mailboxes reside on, those users may send mail representing anyone in the organization.
When a user sends a message representing another user or group, the information store performs an access check based on the sender's current access token and the security descriptor of the object in Active Directory that the sender is attempting to represent. Microsoft Windows 2000 always considers the built-in group of local administrators to have the highest available privileges on the local computer or any computer in the domain (respectively); therefore, Windows 2000 grants any requested rights, including the Send As right.
To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
301378 XGEN: How to Obtain the Latest Exchange 2000 Server Service Pack
The English version of this fix should have the following file attributes or later:
Component: Information store
NOTE: Because of file dependencies, this update requires Microsoft Exchange Server 2000 Service Pack 1.
After this fix is applied, the information store creates a restricted user token, removing either of these built-in groups, before the information store checks for the necessary permissions.
Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 2.