Problem solve Get help with specific problems with your technologies, process and projects.

Regain service-account access to user mailboxes

How to get access back after switching to Exchange 2000.

Exchange 5.5, by default, allows the administrator to access the mailboxes of users to read or delete emails freely via the Service Account Admin privilege. Exchange administrators sometimes take this out-of-the-box behavior for granted, and then they're surprised to find that they can no longer do this when they upgrade from 5.5 to 2000. In Exchange 2000, service-account access to user mailboxes is turned off by default as a security precaution.

The most common way for administrators to bump into this problem is to build a new server to replace an old one then attempt to move mailboxes between servers manually. Unfortunately, that generates an error stating that the admin does not have sufficient privileges to do this.

The easy way to allow access to all mailboxes through the Service Account is to add the account in question to the Exchange Services or Exchange Domain Server group. However, this only works if you are not the Administrator or a member of the Domain Admins or Enterprise Admins groups.

Another method is to grant Windows (i.e., system) admins rights to all mailboxes in the entire Exchange organization. This can be done by simply changing the permissions on the organization object at the top of the Exchange System Manager tree for that account, or for the group it belongs to. Normally, the rights of administrators on the organization object are explicitly denied through the Receive As and Send As rights, so to provide access, clear these denials. (Note that if the account belongs to an administrator group that is still being denied access to that object, the group-level denial takes precedence.)

To change the permissions, you will need to force the Security tab to appear on all objects in the Exchange management console. Open the Registry and edit the key HKEY_CURRENT_USERSoftwareMicrosoftExchangeExAdmin, and add a DWORD value named ShowSecurityPage. Set it to 1; Exchange does not need to be restarted for this to take effect, but you may need to close and open the management console to see the Security tabs.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators -- please share your thoughts as well!

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.