Question : Exchange 2007 Mailbox Permission Question

Hello Everyone,

I just inherited a network and one of the issues I ran into was a user account having full access to all mailboxes. This user is a generic Mail Audit account, to review emails and such. I want to change the access to make sure this user (account) does not have the right to delete other users emails. Im new to Exchange 2007 and Im still learning all of the changes from 2003 to 2007.

Looking into my problem more, I noticed most of the configurations are done in PS. Since, for some reason I cannot use the GUI for the modification. So, in PS I should run:

Get-Mailbox | Remove-MailboxPermission -AccessRights Fullaccess -User

Then when I add the user again run this command:

Get-Mailbox | Add-MailboxPermission -AccessRights Read -User

Keep in mind this user right now has Full Access from the Root-Recipient Configuration Tree. I can only see the Mail Audit user when I Highlight the Recipient Configuration and click on Manage Full Access. From here I cannot make changes the user from the GUI.

Please help
Thank you
Devon

Answer : Exchange 2007 Mailbox Permission Question

It has always been like that. Remember, delete isn't just about removing content. If you want to move items from one folder to another you need to be able to delete the content.
The only way you can grant read only access is at the folder level in the mailbox. However that cannot be done or enforced server side. A user could remove the permission from their folders at any time.

If there is a need to have a copy of email messages for auditing purposes then I would suggest a journaling system is setup, probably with a third party tool. There is no need for any account to have access to all mailboxes by default, with the possible exception of BESADMIN (for Blackberry Servers).

Simon.