locked
Locking delegates out of mailbox RRS feed

  • Question

  • Periodically, we are asked by our legal counsel to preserve the contents of a mailbox after an employee is terminated, and we want to be able to keep the mailbox but lock out both the user and any delegates who have been granted rights to the mailbox. To lock the user, we set the Logon Hours to 'Login denied' on the user object, and disable the Exchange features on the user object. This doesn't, however, prevent delegates from accessing the mailbox contents. We've tested disabling the user object entirely, but that doesn't have any effect on the delegates' access either.

    My organization is segmented such that my group has Active Directory Account Operator responsibilities, but we are not Exchange Administrators and have no access to Exchange settings beyond those available in the Windows XP version of the Active Directory Users and Computers utility.

    We are currently on an Active Directory 2003 domain (to be upgraded to 2008 functional level in the next week), domain controllers are 2008R2 and our Exchange environment is 2007 with plans to move to 2010 by the end of the year. In addition to the ADUC utility, we use Powershell to perform some user object management tasks (via the Quest cmdlets), but we don't have access to the cmdlets that come with the Exchange Console.

    Is it possible to do this without using the tools we have available?

    Thursday, March 24, 2011 1:25 PM

Answers

  • Hi CaffeineComa,

     

    Since you don’t have Exchange permission, the best way to achieve the goal is contact your Exchange administrator to disable the mailbox.

     

    Thanks,

     

    Evan


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by CaffeineComa Monday, April 4, 2011 1:35 PM
    Tuesday, March 29, 2011 7:59 AM
    Moderator

All replies

  • With 2010 there is the get-mailboxfolderpermssion to audit then remove-mailboxfolderpermission to remove. None exists for 2007, the only way to modify mailbox level perms programatically is via EWS.

    The only other idea that I can think of is to create a generic mailbox after ther user is termed and them export the current users mailbox into a new mailbox.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Thursday, March 24, 2011 2:06 PM
  • Hi CaffeineComa,

     

    Since you don’t have Exchange permission, the best way to achieve the goal is contact your Exchange administrator to disable the mailbox.

     

    Thanks,

     

    Evan


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by CaffeineComa Monday, April 4, 2011 1:35 PM
    Tuesday, March 29, 2011 7:59 AM
    Moderator