An account with the "Exchange View-Only Administrator" permission can review user mailbox contents by using an administrative application in Exchange Server 2007

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
In an Exchange Server 2007 environment, a domain user account can be given "Exchange View-Only Administrator" permission by using the Exchange Administration Delegation Wizard at the organization level. You expect that the account that has the "Exchange View-Only Administrator" permission can view the Exchange configuration only. However, the account can read the contents of any message in a mailbox store in the organization. For example, the account that has the "Exchange View-Only Administrator" permission can access the contents of the other users' mailboxes by using the Public Folder Distributed Authoring (PFDavAdmin) tool or the Versioning (DAV)-based administration tool.
RESOLUTION
A feature is now included with Update Rollup 8 for Exchange 2007 Service Pack 1 to change this behaviour.

For more information about Update Rollup 8 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic: For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:Warning You should test the change before you install the hotfix and implement the change because it may affect some third-party applications that access Exchange data by using the administrative logon and the "Exchange View-Only Administrator" permission.

After you install the hotfix, you have to create the Restrict View-Only Administrator Access Right registry entry on the Exchange server for this hotfix to work. If you do not create this registry entry, or if the registry setting is set to zero, accounts that have the "Exchange View-Only Administrator" permission can still access mailbox contents in a mailbox store. To set the registry entry, follow these steps:
  1. Click Start, click Run, type Regedit, and then click OK.
  2. Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. In the details pane, type Restrict View Only Administrator Access Right, and then press ENTER.
  5. Right-click Restrict View Only Administrator Access Right, and then click Modify.
  6. In the Edit DWORD Value dialog box, click Decimal under Base.
  7. In the Value data box, type 1, and then click OK.
  8. Close Registry Editor.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
959745 An Exchange View-Only Administrator can review user mailbox contents by using an administrative application

For more information about Exchange 2007 permissions, visit the following Web site:For more information about the Exchange access control process, visit the following Web site:For more information about accessing Exchange objects, visit the following Web site:
Properties

Article ID: 959748 - Last Review: 01/16/2015 02:47:30 - Revision: 1.1

  • Microsoft Exchange Server 2007 Service Pack 1
  • kbnosurvey kbarchive kbhotfixrollup kbexpertiseadvanced kbqfe KB959748
Feedback