I'm an Exchange 2003 Standard admin. My supervisor would like to prevent domain administrators from accessing senior management mailboxes (without making special effort). All mailboxes reside in the same mailbox store on a single Ex2k3 Stand. server. I've read that by default Domain Admins should not have access to other user's mailboxes. I've also read that I should not use the Active Directory security tab to change mailbox permissions because that will change the sequence of ACEs so that MAPI administration will be impossible. I just want to prevent Domain Admins from accessing Inbox folders of Senior Management without breaking anything else. Thanks, in advance, for your help. Paul

If the Domain Admins are spying on management's mailboxes, anything you do to take this away can be undone by them. Any NTFS right you put back to default can be changed again. So, find the group they most likely added to the Organization or Mailbox Store security that has rights to the mailboxes, and remove it. This will not fix the issue of having Domain Admins that you cannot trust, but it should make your manager feel better. I guess I should state that I am a Systems Administrator myself. I don't run my normal account with Domain Admin rights, but have access to Enterprise/Domain Admin accounts. I only use them to do specific tasks. By the nature of my job, I can give myself any right I want. BTW, if you are not auditing, it should be turned on, and changes to the settings should be audited as well. But seriously, anything you do to change the rights of a domain admin, except taking domain admin away, they change change back. If you can't trust them, give them the boot. J.G.