SOAPBOX WARNING: I feel the need to preach a little here, so skip the next two paragraphs if you want. I am sure that I do not need to tell you guys how important it is that we not abuse our power in respect to our access to messaging servers. When we create super accounts, it makes it that much easier for someone else to abuse the system. It also makes it fairly easy for us to accidentally wipe out great amounts of data. I wasn’t even sure if I should post this (or repost actually since most of the steps are already published in Q262054) because “super” access is only required in a few remote instances.
The Active Directory and Exchange 2000 now provide the ability to distribute the administrative responsibilities among different groups. We can easily give Exchange Administrators control over some systems and deny or grant certain folks with Active Directory permissions to certain Exchange settings. By handing out certain keys to certain groups of people, we can further protect our system from accidental or malicious attacks from internal systems personnel. For example, it is not always appropriate for the Domain Administrators to be able to manipulate the Exchange stores or systems, and visa-versa.
By default, Exchange Domain Servers (and Exchange services) is given full permissions of each mailbox servers in the domain. To see this setting, open the Active Directory Users and Computers MMC console that Exchange installed and click View and Advanced Features. Next, navigate to an Exchange user in the domain and select the Exchange Advanced tab on the users’ properties window. Now select Mailbox Rights. While you are here, select the Domain Admins and Enterprise Admins and notice that they have both been given Deny access to Full Mailbox access. what this means is that if you are a member of both the Exchange Domain Servers and one of the Admin groups, you will not have access to the other mailboxes. If you are not a member the Enterprise or Domain admin groups and are in the Exchange Domain Servers group, then you will have access.
Be patient when you add someone to this group. In my lab, the account did not have immediate access. Remember that the domain controllers have to replicate changes. In my case, I rebooted the Exchange server which is also the DC and Global Catalog Server. Only after that reboot was the select account able to open all mailboxes in the domain.
For additional information, see the Microsoft support article at: http://support.microsoft.com/support/kb/articles/Q262/0/54.asp