Wednesday, April 18, 2012 2:02 PM
One of my users found a big security problem. We host email domains for 30 plus organizations. We allow an administrator from each organization to manage their domain. We have configured this access in AD.
It was recently found that that if the below steps are taken a user can login to OWA with their credentials and the switch to someone else’s account without knowing their password and view the mailbox. Is there a way to prevent this from happening?
Start the Exchange Management Console.
- In the console tree, click Recipient Configuration.
- In the result pane, select the mailbox for which you want to grant the Full Access permission.
- In the action pane, under the mailbox name, click Manage Full Access Permission. The Manage Full Access Permission wizard opens.
- On the Manage Full Access Permission page, click Add.
- In Select User or Group, select the user to which you want to grant the Full Access permission, and then click OK.
- Click Manage.
- On the Completion page, the Summary states whether the Full Access permission was successfully granted. The summary also displays the Exchange Management Shell command that was used to grant the Full Access permission.
- Click Finish.
Friday, April 20, 2012 3:24 AM
If you grant the Full Access Permission to other users, the user’s mailbox should be able to opened by other users.
Friday, April 20, 2012 12:09 PM
Thanks, that makes sense.
My problem is that we host email for thirty + domains and because of that we have thirty plus email admins. Each email domain is in it's own AD OU and administration of the AD user accouts for password changes and such is managed with AD permissions.
In this enviroment, is it possibla to give this domain level email administration privs without allowing each organizational admin to be able to set Full Access Permission?
Thursday, May 10, 2012 6:45 PM
Wondering if there is any other feedback on this issue.
Is there a way to prevent an admin for just one domain in AD from having the ability from viewing email in all the other domains in the Exchange message stores?
Friday, May 25, 2012 12:51 PM
If I understand this right you managed the access for the administrators with AD delegation, right?
So you can also do delegation in exchange within the AD scope. Go to ecp (owa url /ecp) and create new roles for each scope and administrator. In this way the administrators should only be able to do changes in their domain.
Friday, May 25, 2012 3:00 PM
I am running Exchange 2007. This appears to be an Exchange 2010 feature only.
Is this avaliable in 2007? If so, I am unable to find any documantation on enabling this feature.
Thanks for your feedback.