XADM: Account Operators Can Obtain Access to All of the Mailboxes

This article was previously published under Q309718
This article has been archived. It is offered "as is" and will no longer be updated.
Account Operators and Domain Administrators in Active Directory have permissions to add and remove users from group objects; because of this, account operators and domain administrators in Active Directory can add themselves to the Exchange Domain Servers group. If Domain Administrators or Enterprise Administrators add themselves to the Exchange Domain Servers group, they cannot gain access to mailboxes because there is an inherited deny Access Control Entry (ACE) for the Receive As permission on each database for members of these groups.

However, there is no inherited or explicit Access Control Entry (ACE) for Account Operators, so Account Operators assume the permissions of the Exchange Domain Servers group on the information store. Therefore, an Account Operator from any domain that contains an Exchange 2000 server can gain access to all of the mailboxes. These Account Operators have permissions to add themselves (or someone else) to the Domain Servers group, which gives them Send As and Receive As permissions on all of the information store databases.
To work around this behavior, apply the EDSLock.vbs script. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
313807 XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group
Applying the EDSLock.vbs script tightens the security for members of the Exchange Domain Servers group such that members of this group do not have permissions to access all mailbox stores and public folders in the Exchange organization.

In addition, Microsoft recommends that administrators change the default permissions on the Exchange Domain Servers group so that Account Operators only have read access to this group. If you do so, Account Operators cannot add themselves to the Exchange Domain Servers group.

If you do not want to change the permissions of the Exchange Domain Servers group on mailbox stores and public folders, you can deploy "server domains" that are separate from "user domains," and then locate the users with Account Operator permissions in the user domain.
Microsoft confirms that the behavior described in the "Symptoms" section is the current default after installation of Exchange 2000. Microsoft plans to change the installation default in the next release of Exchange. Until then, Microsoft recommends that you follow the procedure described in the "Workaround" section of this article to further enhance the security of the default settings.

Article ID: 309718 - Last Review: 10/24/2013 07:59:52 - Revision: 1.5

Microsoft Exchange 2000 Server Standard Edition

  • kbnosurvey kbarchive kbbug kbnofix KB309718