RE: Domain admin mailbox rights on Exchange 2003



At Tuesday, August 01, 2006 9:44 AM, Susan Bradley, CPA aka Ebitz - SBS
Rocks [MVP] wrote:

Domain admins are "god" on a system.

As a user, I am unable to access another's email box. As a domain
admin, I am "god" and can.

For the sake of completeness for other readers (since I'm fairly certain
you know this already), I'd like to point out that even domain admins
cannot access Exchange 2000/2003 mailboxes by default. Microsoft puts in
explicit deny ACes for:

+ Domain Admins (AD)
+ Enterprise Admins (AD)
+ Administrator (local)
+ Exchange Administrator role (Exchange)
+ Exchange Full Administrator role (Exchange)

Because these Deny ACLs are applied at a higher level than the mailbox
(IIRC, they're at the org level), they can be overriden by placing an
explicit Allow ACL on the target mailbox, store, or server. So when
Susan says that domain admins are god, she means that while they do not
by default have permission to look in any mailboxes, they can fairly
easily grant themselves that permission. So her points stand -- don't
use a domain admin account unless you need those rights *for the task
you're working on* (and drop them as soon as you don't need them) and
trust your domain admins. But also audit your permissions --
modifications of these permissions will be your clue that you may have a
domain admin who isn't worthy of that trust.

--
Devin L. Ganger Email: deving@xxxxxxxxxx
3Sharp LLC Phone: 425.882.1032
15311 NE 90th Street Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.702.8455
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/

---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: Restricting Domain Admins
    ... domain admins, enterprise admins, server ops, etc. ... > Removed Modify permission ... > Removed modify owner permission ...
    (microsoft.public.windows.server.security)
  • Re: Security permissions bug or inheritant permissions??
    ... We had four domain admins for the 8 domains in our forest. ... four guys who were Enterprise Admins. ... management and security folks don't fool themselves with a perception of false ... that doesn't mean that everyone should be domain> "gods" - they should heirarchal structure that enforces layered security> levels - even among domain admins. ...
    (microsoft.public.win2000.active_directory)
  • Re: Mailbox folder permissions
    ... an Exchange Full Admin does not have the permission to open up ... The permission is inherited by the Mailbox Rights as "Full ... I have set the security on the mailbox store to only allow admins, ...
    (microsoft.public.exchange.admin)
  • Re: Wide open permissions on exchange 2003
    ... the Domain & Enterprise admins have Send-As & Receive-As Deny inherited permission on Exchange organization level to prevent member of admin groups from accessing and spoofing mailboxes in the forest. ...
    (microsoft.public.exchange.admin)
  • Re: Cannot move mailbox, access is denied
    ... If I look at the individual mailbox under the exchange ... >advanced and mailbox rights tab I see that domain admins and enterprise ... >admins are explicitly denied full maibox access. ...
    (microsoft.public.exchange.admin)