How can I ensure an ex-administrator of Exchange doesn't still have email access somewhere?

Question

I work for a company in which an ex-employee had administrative access to Microsoft Exchange 2007, and I understand that at some points this person had email which was sent to other employees also forwarded on to him.

Upon taking over the administration of the server, of course all of his known accounts were closed, and any of those forwarding rules were removed. However, I would like to ensure that we didn't miss anything.

What would be the best way to ensure that: (1) There isn't still some sort-of email being forwarded on to him somewhere? (2) That he doesn't have some sort-of other access to an inbox or another employee's email?

I am less concerned about access to the box itself as I am that there is an existing email rule somewhere that is still getting run, or that there is a distribution list that we missed, etc.

Answer 1

This is related to the more general question "how do I ensure an ex-administrator is really locked out of a system he no longer manages?". And it has no easy answer, as, by definition, an ex-administrator could have left backdoors anywhere, if he wanted to and if he had proper technical skills to do it.

Even checking that no e-mail is forwarded to him anywhere isn't easy: if you have a forwarding rule which forwards messages to someaddress@somedomain.com, how could you know for sure that address isn't owned by him?

What helps you here is the fact that server-side forwarding in Exchange can only have Active Directory objects as recipients; you can't forward messages to some random e-mail address, you need to create a contact object in AD to hold it and then forward to the contact; so you only have to check your contacts.

The problem is, if you only have a few of them in your AD, you can check with your users and make sure forwarding rules are only the ones they actually need; but if you have hundreds of them, this can get quite difficult.