This article discusses how to grant permissions to all mailboxes. Granting access to all mailboxes can be useful when you are completing tasks such as offline recovery.
Caution Do not use this procedure in a production environment to allow unauthorized access to user data. Doing so might violate your corporate privacy and security policies. Implement an auditing plan on your network to detect and to record improper use of network administrative credentials by system administrators.
In Microsoft Exchange Server 5.5, when you grant Service Account Admin access rights on the Site
container to a Microsoft Windows-based account, you grant that account unrestricted access to all mailboxes. In Microsoft Exchange 2000 Server and Exchange Server 2003, there is no service account, and even accounts with Enterprise Administrators rights are denied rights to gain access to all mailboxes. Note
In Microsoft Windows 2000 Server and Microsoft Windows Server 2003, services typically run under the account of the computer where they are installed. This account is the local system account (LocalSystem), and its password is created and recycled by Windows 2000 or Windows Server 2003. By default, you can use this service account to gain access to the Exchange mailbox, the public folder stores, and other Windows resources for performing mail transfer and directory synchronization.
If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. All Exchange Server 2003 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail.
You can override this default restriction in several ways, but do so only in accordance with your organization's security and privacy policies. Frequently, overriding the default restriction is appropriate only in a recovery server environment.
To grant your administrative account access through Exchange System Manager to all mailboxes in a single database regardless of inherited denials:
- Start Exchange System Manager, and then locate the database you want to have full mailbox access to.
- Open the properties of this object, and then click the Security tab.
- Grant your account full explicit permissions on the object, including Receive As permissions.
After you have made this change, you may still see unavailable Deny
permissions assigned to your account. The unavailable permissions indicate that by inheritance you have been denied permission, but that you have inherited permissions at this level. In the Windows permissions model, explicitly granted permissions override inherited permissions. Note that an explicit Allow at a lower level
permission overrides an explicit Deny from a higher level
permission only on the single object where the override is set, not on that object's child objects. This prevents you from granting yourself permissions on a server to gain access to each database; you must grant permissions on databases individually.
After you change permissions, you may have to log off and log back on. Microsoft also recommends that you stop and restart all Exchange services. If you have multiple domain controllers in the forest, you may also have to wait for directory replication to complete.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Security tab not available on all objects in System Manager