Administrator can access all mailboxes - how can I stop it?

windows windows-server-2012 exchange exchange-2013

Solution 1:

This is probably a result of DOMAIN\Administrator being a member of the Organization Management group. From the description of that group:

Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This role group shouldn't be deleted.

Or from Technet:

Administrators who are members of the Organization Management role group have administrative access to the entire Exchange 2013 organization and can perform almost any task against any Exchange 2013 object, with some exceptions. By default, members of this role group can't perform mailbox searches and management of unscoped top-level management roles.

This is basically the group in Exchange that is like the Domain Admins group in Active Directory - members have administrative privileges in Exchange, which includes the ability to log into any mailbox (by default). You could, of course, remove DOMAIN\Administrator from that group, but anyone with modify privileges on that group (like domain admins) can trivially add that user, or any other, back into it.

In the unlikely event that the DOMAIN\Administrator user is explicitly defined as having permissions to each mailbox, you could use a PowerShell script to remove it, but you'd have the same problem - that user, and anyone with modify privileges on the Organization Management group can trivially add that user, or any other, back into it.

Bottom line, administrators have (or can easily give themselves) permissions to do whatever they want. It's the nature of an administrative account, and there's really no getting around it.

Solution 2:

Organization Management does not actually give permission to access mailboxes using OWA. In fact, by default, this group is explicly denied access to all mailboxes, for the same reasons that you want to do so. I suspect that the account was granted rights to every single mailbox individually.

You can check for it using a command such as:

Get-Mailbox | Get-MailboxPermission -User DOMAIN\Administrator | where {-not $.IsInherited} Get-Mailbox | Get-ADPermission | where {-not $.IsInherited}

To remove them, you would just add Remove-MailboxPermission or Remove-ADPermission to the end. (Do this at your own risk ... This is all off the top of my head, which is why I am not including the full commands. There are probably some mailboxes you would want to exclude, such as the Administrator's own mailbox.)

This is why service accounts for Blackberry Enterprise Servers must not be put into Organization Management. Instead, they have specific instructions to grant access to all mailboxes.

I haven't looked into this specifically for Exchange 2013, but none of the other answers claim to be new for Exchange 2013, so I suspect they are just mistaken.

Solution 3:

It appears from your message that you may be an administrator. If so, you have the rights because at times you will need them. Accept, but don't abuse the privilege granted you. A trustworthy administrator will only use the rights when required to do your duties. Those duties may include scanning emails for specific content, tracing email sources, and other activities which require access to other user's email.

If you are making someone an administrator, consider the following.

Anyone with administrative rights more or less has the keys to the kingdom. If you can't trust them, don't make them administrators. They should be in a position to undo pretty well anything you do to remove access.

I would expect that most solutions would be best implemented by the administrator. The mail server would need to be able to decrypt the mailboxes. This would give the administrator access to the mailboxes.

Encrypting the mail messages at both ends could be done. However, this would severely limit who you can exchange email with. It is likely that you would want the administrator to be able to install and debug the encryption software.

The administrator is likely to be in a position to access the mail by packet capture as well. This is more difficult, but not extremely difficult.

A trustworthy administrator will not abuse their authority. Where they do need to access mail folders, they will limit their access as much as possible.

Related

DNSSEC sign-zone results in fatal failure
Nginx TCP stream routing based on source IP
the wireguard not listening on port after started
What does iodepth in fio tests really mean? Is it the queue depth?
How to migrate a ZFS filesystem to use compression?
How to add ACL on OpenLDAP
Apache unresponsive (site down) or crashes, MaxRequestWorkers setting reached
Is it safe to expose an AWS instance ID?
php-fpm not generating core dump files despite being configured to
Postfix: SMTP Relay based on alias (from address)
User permissions to configure SSL certificate for IIS HTTPS binding
Client object identifier in BIND 9 query logs