Problem solve Get help with specific problems with your technologies, process and projects.

Who has full Exchange Server mailbox access and permissions?

Find out how to determine who has permissions to access all Exchange Server mailboxes and how to restrict these permissions in an Exchange 2003 site.

Has Microsoft designed Exchange Server 2003 to allow all users to view other users' email in their inboxes? If not all users, what about any user with certain privileges -- like a domain administrator? If so, how can I prevent this? And how can I prove this has happened? Is there a log?
In Exchange 5.5, the Exchange Service account had permissions to access all mailboxes in an Exchange Site. In Exchange 2000 and 2003, Microsoft has explicitly denied access to administrative accounts, including domain administrators, enterprise administrators and Exchange full administrators. Only a group called Self, which is the user object being configured, has full mailbox access.

However, a regular domain user account can be delegated access to a folder like Calendar, or the entire mailbox, by the user or an administrator. The good news is that anytime a user who is not "Self" accesses a mailbox, then a 1016 event is generated in the Application log by Exchange.

Do you have comments on this Ask the Expert Q&A? Let us know.

Related information from SearchExchange.com:

  • Tip: Establishing mailbox audit trails on Exchange Server
  • Reference Center: Microsoft Exchange permissions
  • Dig Deeper on Legacy Exchange Server versions

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.