2

Environment: Exchange 2010 SP1, Outlook 2010 Pro Plus

We have a manager that needs access to a user's live email box without that user knowing about it (suspected wrong doing).

Obviously, we could give the manager Full Access permission in Exchange but if the manager accidentally clicks on an unread item or deletes something then it might give it away that they are accessing it. Also, we can't add the manager as a reviewer to the user's outlook (again, might give it away). We could also just export the mailbox from Exchange, but that wouldn't give the manager any email that comes in after the export (without us continually re-exporting it). From what I've seen, giving a user read-only permissions on a mailbox doesn't prevent the read/unread status from being modified. Discovery searches would work for specific things, but the manager would like to be able to browse.

Does anyone have any ideas on how to accomplish this?

CORTech
  • 31
  • 1
  • 4
  • To add to my comment below in the answer, using words like "stealth", etc. you need to make sure HR is fully involved as well as documenting what you are doing. Being nice to a manager and helping them out could end up backfiring on you/IT. – TheCleaner Feb 26 '13 at 19:28

5 Answers5

5

In the managers Outlook or OWA turn off the message Read options. If the manager uses Outlook as their primary email client and doesn't want to turn off the message Read options because it will affect his/her messages then have them use OWA to view the employees mailbox and turn off the message Read options in OWA.

EDIT

In the OWA options you should have the following three options:

Mark item displayed in reading pane as read
Mark item as read when selection changes
Do not automatically mark items as read

Select the thrid option. Then when the manager uses OWA to read the employee's email the messages won't be marked as Read.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • 2
    Make sure you've documented what you are doing in case there are legal issues. – TheCleaner Feb 25 '13 at 22:00
  • This still doesn't prevent the manager from deleting or moving a message, but I think it's going to be as close as I can get. Thanks. – CORTech Feb 26 '13 at 16:52
  • It doesn't and you didn't mention anything about preventing the manager from deleting or moving messaged in your question. At the end of the day, the manager has to exercise some discretion and caution when accessing the employee mailbox. Read but don't move, delete or otherwise manipulate any of the emails. – joeqwerty Feb 26 '13 at 21:48
4

If you don't want to give the user any rights to the live mailbox, you can setup a Transport rule to Bcc a separate mailbox for any incoming or outgoing mail for that user. You could then give the Manager access to the separate mailbox.

HostBits
  • 11,776
  • 1
  • 24
  • 39
3

You should place a litigation hold on the user's mailbox. http://technet.microsoft.com/en-us/library/ee861123(v=exchg.141).aspx

Jeremy Lyons
  • 1,088
  • 6
  • 9
1

Export the mailbox using the Export-Mailbox PowerShell cmdlet. This method is consistent with what an auditor or the CID would require, i.e.: you're getting an "as is" snapshot of the mailbox, and the person performing the investigation can't be accused of tampering. Of course, you should (yourself) ensure that your Employee Relations / Human Resources sanction such activities in your employment policy.

Simon Catlin
  • 5,222
  • 3
  • 16
  • 20
  • Simon - the OP mentioned why they didn't like this approach in their question. – TheCleaner Feb 25 '13 at 22:09
  • Granted, but e-mail observation is one thing. Having something that can be submitted in a court or employment tribunal is a whole different story. – Simon Catlin Feb 26 '13 at 07:11
  • Agree that this (or ideal a Litigation Hold) is the proper approach. Accessing the mailbox just to see it may not work after the fact if the user then deletes the email, word against word (or maybe screenshot against word). – TheCleaner Feb 26 '13 at 14:16
  • We might do this plus the BCC approach mentioned elsewhere. Doing the export will give us everything historical and the BCC transport rule will give us everything going forward. And we might add the litigation hold for another level. – CORTech Feb 26 '13 at 17:37
1

When we last had to do this 2 years ago, we used the automatic BCC rule to handle this by forwarding all mail to another account.

Regardless of the approach you take, you might want to consider having the manager read all the mails in plain text to prevent something like Bananatag giving away the "read" status outside of the mail client.

*Please do make sure that what you are doing is in fact legal and make sure everything is documented, just in case......

Permas
  • 121
  • 3