cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Delegation to assign permissions to mailbox archives

Go to solution
Zap
Level 4
Partner

‎12-09-2010 10:28 PM

Using EV 8 (on 2k3 server) role based administration is it possible to delegate the ability for a user to modify exchange mailbox archive permissions WITHOUT giving them the ability to grant themselves access to an exchange mailbox archive?

 

 

The scenario I am trying to achieve:

User B: has left the organisation.  User B's Active Directory account & Exchange mailbox have most likely been deleted.

User A now needs access to user B's mailbox archive. I want the helpdesk to have the ability to grant this access. The helpdesk can not have the ability to give thier own account access to someones elses mailbox archive due to security reasons. The helpdesk should not have any other access to EV.

 

Is this possible?

Thanks

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Maverik
Level 6

‎12-10-2010 01:17 AM

The problem as I see it is here.

"The helpdesk can not have the ability to give thier own account access to someones elses mailbox archive due to security reasons. "

I cannot see how they can have the ability to give someone access to the archive, but at the same time not give their own account access to the archive. 

A bit like saying a helpdesk user can create an account in AD, but not an account in AD they can log in as........

Therefore I cannot see this is possible Im afraid.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Maverik
Level 6

‎12-10-2010 01:17 AM

The problem as I see it is here.

"The helpdesk can not have the ability to give thier own account access to someones elses mailbox archive due to security reasons. "

I cannot see how they can have the ability to give someone access to the archive, but at the same time not give their own account access to the archive. 

A bit like saying a helpdesk user can create an account in AD, but not an account in AD they can log in as........

Therefore I cannot see this is possible Im afraid.

0 Kudos

Go to solution
James_Slack
Level 6

‎12-10-2010 03:17 AM

You are exactly right.

The only way you would be able to stop this is with some really celever and well over the top group policies and having all your admin users in one OU and blocking that. In my oppinion though, that is well overkill and pointless.

If an admin user wanted to access someones Vaults then and they were blocked, they could just give rights to some random user (user C) and reset user Cs password and then just login as user C to view that vault.

At some point, you are going to have to trust your staff - or if not, then delegating Vault / Mailbox rights is not soemthing you should have your helpdesk staff doing.

Our multinational company who has 237 sites globally trusts our staff, but we do limit the number of staff we have doing that function. This works fine for us.

 

0 Kudos

Go to solution
Zap
Level 4
Partner

‎12-12-2010 06:55 PM

Thanks guys,

Exactly the answer I was expecting, glad you understood what I was after. We do not trust the helpdesk with mailboxes as they are contractors who could gain access to sensitive data. The work will just have to be handled by the email team.

 

Thanks for your replies.

0 Kudos