If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. Unlike Exchange Server 5.5, all Exchange 2000 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail.
This default restriction can be overridden in several ways, but again, doing so should be in accordance with your organization's security and privacy policies. In most cases, using these methods is appropriate only in a recovery server environment.
Method One
If you are NOT the Administrator, or a member of the Domain Admins or Enterprise Admins groups, then you can add your account to the Exchange Services or Exchange Domain Servers groups, and you will be allowed full access to all mailboxes on servers in the domain.
Note The Exchange Services group may not exist if you have never deployed the Active Directory Connector in your organization.
Method Two
To grant your administrative account access through Exchange System Manager to all the mailboxes that are in a single database (regardless of inherited explicit denials), follow these steps:
- Create an appropriately-scoped security group in the Microsoft Active Directory directory service. For example, create a global security group that is named EXCHANGE_RECOVERY.
- Add the group or the user account (or user accounts) that you want to use for general mailbox access to this security group. You must log off and then log back on before your membership in this group takes effect.
- In Exchange System Manager, grant this security group permissions on the database or server object that contains the mailboxes that you want to access.
If the purpose of granting such access is to permit use of the ExMerge utility, grant Receive As permissions. You can also grant Full Control permissions if you want complete access.
After you change these permissions, it may take some time before they take effect. Previous permissions might be cached by the local Exchange server for up to 15 minutes. You can stop and then start the Information Store service to clear local caching. You can also stop and then start all Exchange services to clear local caching. If there are multiple domain controllers in your Active Directory forest, domain replication latency might also extend the time that it takes for the permission changes to take effect. Therefore, when you design recovery procedures, it is a good idea to make the permission changes that are required as early as possible in your process.