Goal: Setting Permissions on the EX Service Account with Exchange 2003
Goal: Service Account
Fact: Exchange 2003
Fact: EmailXtender
Fix: In an Exchange 2003 environment, there are three methods on settings these permissions for the EmailXtender service account:
• If you are not the Administrator, or if you are not a member of the Domain Admins or the Enterprise Admins groups, you can add your account to the Exchange Domain Servers group. After you do this, you are permitted full access to all mailboxes on servers in the domain.
Note: To use this method, the Exchange Domain Servers group must have the Receive As right.
• You can grant Windows 2000 or Windows Server 2003 administrators rights to all the mailboxes in the whole organization by changing the permissions on the organization object at the top of the Exchange System Manager tree. If you do not want to grant such blanket access, you can use the instructions that are provided in the “Method Three” section of this article to grant access only to individual databases.
The explicit denial of rights to administrators is set on the organization object by denying Receive As and Send As rights. You can clear these denials for accounts that you want to have full access. Note that if the account belongs to an administrator group, the account will still not be able to gain access to mailboxes, because the denial to the group will take precedence over the grant of permission to the individual account.
Note: To change the security on the organization object, you must force the display of the Security tab in Exchange System Administrator. If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To force the display of the Security tab, follow these steps:
1. Click Start and then click Run.
2. In the Open box, type regedit, and then press ENTER.
3. In Registry Editor, locate the following subkey in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin
4. On the Edit menu, point to New, and then click DWORD Value.
5. Type ShowSecurityPage, and then press ENTER.
6. Press ENTER.
7. In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK.
8. Quit the Registry Editor.
• To grant your administrative account access through Exchange System Manager to all mailboxes in a single database regardless of inherited explicit denials:
1. Start Exchange System Manager, and then locate the database you want to have full mailbox access to.
2. Open the properties of this object, and then click the Security tab.
If you do not see the Security tab, see the steps for enabling the Security tab that are provided earlier in this article.
3. Grant your account full explicit permissions on the object, including Receive As and Send As permissions.
After you have made this change, you may still see unavailable Deny and Allow permissions assigned to your account. The unavailable permissions indicate that by inheritance you have been denied permission, but that you have inherited permissions at this level. In the Windows permissions model, explicitly granted permissions override inherited permissions. Note that an explicit Allow at a lower level permission overrides an explicit Deny from a higher level permission only on the single object where the override is set, not on that object’s child objects. This prevents you from granting yourself permissions on a server to gain access to each database; you must grant permissions on databases individually.
After you change permissions, you may have to log off and log back on. Microsoft also recommends that you stop and restart all Exchange services. If you have multiple domain controllers in the forest, you may also have to wait for directory replication to complete.
The information in this section comes from Microsoft Knowledge Base Article 821897 – How to Assign Service Account Access to All Mailboxes in Exch.ange Server 2003..