We recently starting using the Mailbox Restore utility within Rapid Recovery, and everything is working without any issues. We are able to follow the procedures and recover our Exchange DB from any mount point.
My questions is regarding the controls to monitor/restrict access to mailboxes. We want any of our data backup administrators to have the ability/user rights to restore emails for any of our company employees. But what prevents the user from using the Mailbox Restore utility to view their supervisors inbox or presidents inbox. Does anyone else use any type of controls to try to limit or monitor this activity? The only control that comes to mind is to monitor the Rapid Recovery log to see when an Exchange recovery point has been mounted by a data administrator?
Hi voelk01: Restoring emails without having access to their content is not really possible. Moreover, I ma not sure how you would be able to identify mail items for restore without having access to their content (i.e. a specific e-mail in a long e-mail chain). These being said, we have a more sophisticated e-mail recovery application (Recovery Manager for Exchange - Data Protection Edition 5.8.1) available for download at support.quest.com/.../download-new-releases This app has some features that may allow you to restore whole mailboxes without seeing the content of the e-mail items inside, but to make it work, you still need enable some kind of honor system. You may think of some kind of NTFS permissions limitations that would bar some admins accessing the e-mail databases on a mounted recovery point (i.e. have a few cores that are not a part of the domain) but again, it is not the kind of work around I would recommend. Please note that, anybody with full system admin permissions can access user's e-mail without having to make complicated moves such as accessing backed up Exchange databases. In my experience of 12 years of system administration running a complex network, neither I not any of my subordinates abused our admin capabilities to peek on other users' e-mails and I trust that most people would not do it either. However, if there are concerns regarding e-mail content security, probably the best approach in my opinion would be to have the admin team sign non-disclosure agreements. Hope that this helps.