We have a Exchange server which has 50 mailboxes on it.

The senior directors of the company(About 5 mailboxes) want their mailboxes to be ultra secure and therefor do not want the administrator to be able to take control of their mailboxes to view any emails etc.

Any ideas how we could do this?

  • 131,083
  • 18
  • 173
  • 296
Adam Chetnik
  • 542
  • 6
  • 19
  • 3
    Make the directors the admins and fire the real ones.. just don't complain when things break and they can't fix it – Rex Aug 05 '10 at 14:40
  • Related question (though it asks about Linux): [protecting my files from root](http://serverfault.com/questions/70319/protecting-my-files-from-root/83637) – sleske Apr 19 '13 at 11:28

6 Answers6


I don't know if you can lock out the administrator. How would you repair the mailbox if there's corruption?

Sysadmins are sysadmins in part because there's a layer of implicit trust for the high ranking system administrator. Sysadmins can read any data on the server, read emails, sniff traffic, reset passwords...essentially they are gods within the network and servers.

If you don't trust the system administrator, you have an issue.

This is an HR and policy issue, not a technology issue. You need clearly spelled out policies that dictate what can and can't be tolerated. Otherwise, they would need to know that even if the mailboxes are secured, sysadmins could use packet sniffing, screen capture, etc...and if you managed to somehow lock out the administrator, good luck retrieving mails, diagnosing issues on those machines, and finding out if someone else installed malware on those workstations and is reading those messages!

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • Just don't wear [this](http://www.thinkgeek.com/tshirts-apparel/unisex/frustrations/31fb/) shirt to work. They might get suspicious. – Holocryptic Aug 05 '10 at 14:11
  • I'd also point out that depending on the business...there may be auditing/legal implications if backups can't be made of messages. – Bart Silverstrim Aug 05 '10 at 14:12
  • @Holocryptic: tempting...knowing my luck people would believe it though. – Bart Silverstrim Aug 05 '10 at 14:24
  • 2
    +1 exactly how I would have put it... or perhaps just "you don't" ^^ - also, this is e-mail we're talking about - e-mail isn't secure unless it's properly encrypted - why would they bother about securing a mailbox when every mail they receive and send outside the local organisation (at best) is open to the world to read? ^^ – Oskar Duveborn Aug 05 '10 at 15:55

As has been said, it isn't really possible.

What can be done, of course, is events on those mailboxes can be audited and the event logs on the exchange servers can be secured. As Erik points out, even this won't help if a sysadmin takes a backup tape home and restore it.

At the end of the day though, if the directors don't trust the sysadmins then the business either needs less paranoid directors or more trustworthy sysadmins, depending on whether or not the directors are right to be worried.

Rob Moir
  • 31,664
  • 6
  • 58
  • 86
  • +1 on the trust issue. If you can't trust the one user on the network that gets the keys to everything, they shouldn't have that key. – sysadmin1138 Aug 05 '10 at 15:39

The only way this is possible is to not keep the emails in Exchange, which in tern exempts them from any email archiving system in place. Depending on what kind of regulatory environment you live in, that can be a very very bad idea.

But ultimately it comes down to the trust issue. If they can't trust their own highest level Administrators to not poke their nose in areas they haven't been invited in to (perhaps they've read a bit too many BOFH stories), then that admin doesn't need to work there. It's called professional ethics, and one of the top ones for sysadmins is to not go info-hunting for curiosity. This is why I got a solid background check for this and my last sysadmin job.

That said, I have seen examples where the top level users had their own single IT person just for them. They maintained separate email environments, and were the person who handled desktop IT for the C-suite. The rest of the hoi polloi IT had to work through that one person. It can really work when that one person is a nice guy and is willing to work with the rest of the company. It can be downright evil when that one person lets the power go to their head and they start going their own way just to go their own way.

  • 131,083
  • 18
  • 173
  • 296

The administrator will always have some way of getting into their users' mailboxes, whether that's via the exchange server, via OWA, through a third-party spam filter appliance, or perhaps even by restoring from a backup (this would even evade the standard audit logs on the exchange server). This is really a trust issue more than a technical one.

The only truly secure way to do this would be for the senior directors to use client-side encryption for all of their mail, using a passphrase-protected key. I have a hard time believing they'll agree to jump through the hoops necessary to do that, though.

  • 108,414
  • 18
  • 172
  • 242

It is not possible. The Microsoft stand on security has always been that administrators can access everything, even things they can't access (whether that is through changing permissions or taking ownership of an object).

Now others, like Novell, have taken a different approach in the past where admins could have access removed from objects with no way to gain it back. The big downfall of that is that portions of your file system, directory store, or mailboxes could easily become totally inaccessible with no recourse.

So, unless your executives want to manage their own Exchange server (and domain), you are going to have to live within Microsoft's bounds.

Doug Luxem
  • 9,592
  • 7
  • 49
  • 80

What about if the actual admins (the guys who do the day-to-day work) are removed from the Domain Admin and Exchange Organization Unit groups? My understanding[*] is that these are the necessary permissions needed to view a mailbox.

Then the password for the "real" Administrator account (which still has Domain Admin and Exchange OU membership) is known only to the company directors.

Of course this will limit the debugging and configuration capabilities of the actual admins; but when the extra access is needed, one of the directors will have to get involved.

I have the utmost sympathy for the original poster: the head of my company insists on the same kind of policies. His organization has been painstakingly created to segregate administrative power among different individuals. It's frustrating, but the owner of the business gets to make the rules.

Note that this suggestion ignores the ability of emails to be intercepted once they're on the wire.

[*] Big disclaimer: I'm just learning this stuff, so please take with a huge grain of salt.

  • 1,037
  • 2
  • 14
  • 20