Whose responsibility is it in your places to verify the people granted even delegate access or via an ad group to a mailbox/folder require such access. We have over 5000 mailboxes. I need some best practice on the data protection point of view how and who should we be verifying people with access to the higher sensitive mailboxes still require such access. For example large organisations have many job role changes, switch departments etc, so access that was required back 2 years ago may no longer be required. But wth over 5000 users, and IT team not having an easy way to see delegate rights, how on eart do we manage this. and who should take ownership? should they sign a quarterly form for example? the users themselves wont have a view of security groups added to their mailbox, (or could they?)

I think you need to roll out the process to streamline this activity. First put the policy in place followed by procedure and practice them e.g. Policy: All mailbox access request needs to be given only when access request is submitted and approved. Procedure: Outlining the steps to achieve the above process. Practice: Make sure everyone is following the established standard operating procedure. Now on the procedure step you need to make sure that you've proper tool in place where requester can put the request and while submitting the request, email should go to implementer and approver, The minute approver approves the request, it is just a matter of implementing it. This same tool should be able to provide reporting facility for auditing purpose as well. Same way you need to identify various different policies like department switch, delgate etc..... I don’t think that you can implement somthing like that using exchange server, you need some third party tool.Regards, Pushkal MishrA