Microsoft KB Archive/309718

= XADM: Account Operators Can Obtain Access to All of the Mailboxes =

Article ID: 309718

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition

-



This article was previously published under Q309718





SYMPTOMS
Account Operators and Domain Administrators in Active Directory have permissions to add and remove users from group objects; because of this, account operators and domain administrators in Active Directory can add themselves to the Exchange Domain Servers group. If Domain Administrators or Enterprise Administrators add themselves to the Exchange Domain Servers group, they cannot gain access to mailboxes because there is an inherited deny Access Control Entry (ACE) for the Receive As permission on each database for members of these groups.

However, there is no inherited or explicit Access Control Entry (ACE) for Account Operators, so Account Operators assume the permissions of the Exchange Domain Servers group on the information store. Therefore, an Account Operator from any domain that contains an Exchange 2000 server can gain access to all of the mailboxes. These Account Operators have permissions to add themselves (or someone else) to the Domain Servers group, which gives them Send As and Receive As permissions on all of the information store databases.



WORKAROUND
To work around this behavior, apply the EDSLock.vbs script. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

313807 XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group

Applying the EDSLock.vbs script tightens the security for members of the Exchange Domain Servers group such that members of this group do not have permissions to access all mailbox stores and public folders in the Exchange organization.

In addition, Microsoft recommends that administrators change the default permissions on the Exchange Domain Servers group so that Account Operators only have read access to this group. If you do so, Account Operators cannot add themselves to the Exchange Domain Servers group.

If you do not want to change the permissions of the Exchange Domain Servers group on mailbox stores and public folders, you can deploy &quot;server domains&quot; that are separate from &quot;user domains,&quot; and then locate the users with Account Operator permissions in the user domain.



STATUS
Microsoft confirms that the behavior described in the &quot;Symptoms&quot; section is the current default after installation of Exchange 2000. Microsoft plans to change the installation default in the next release of Exchange. Until then, Microsoft recommends that you follow the procedure described in the &quot;Workaround&quot; section of this article to further enhance the security of the default settings.

Additional query words: AD

Keywords: kbbug kbnofix KB309718

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.