XADM: Send As Rights Granted to Local Administrators

If users are members of the local Administrators group on the Exchange Server computer that their mailboxes reside on, those users may send mail representing anyone in the organization.

When a user sends a message representing another user or group, the information store performs an access check based on the sender's current access token and the security descriptor of the object in Active Directory that the sender is attempting to represent. Microsoft Windows 2000 always considers the built-in group of local administrators to have the highest available privileges on the local computer or any computer in the domain (respectively); therefore, Windows 2000 grants any requested rights, including the Send As right.

To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: The English version of this fix should have the following file attributes or later:

Component: Information store


NOTE: Because of file dependencies, this update requires Microsoft Exchange Server 2000 Service Pack 1.

After this fix is applied, the information store creates a restricted user token, removing either of these built-in groups, before the information store checks for the necessary permissions.

Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 2.