I Caught Another Admin Snooping User’s Email. What Should I Do?

I’m an honest person. I always pride myself on having integrity with my job as a Senior System Admin. I think it’s a must in this kind of position. I don’t ever spy on users in any way outside of my job requirements. I believe it’s a must that an admin never look at anything they aren’t supposed to. That’s why it irks me whenever I hear stories of admins using their powers to spy on users.

I had a co-worker who would seem to know the inside scoop on everything in the company. He would know everything about HR related issues, restructuring, and gripes between employees before anybody else would. I often wondered how he knew all of this information. I attributed his knowledge to an uncanny ability to network with other employees.

One day, I was adding permissions to a high level executive’s mailbox in Office 365 when I noticed this admin had full privileges to the mailbox. I couldn’t figure out a reason why this admin would need full access to this mailbox. So, I got curious, and queried users with access to mailboxes other than their own.

The following PowerShell command was used:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITYSELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

It turned out, the admin had full permissions to 20 mailboxes. All of them were executives or high level employees.

So how does one handle this find? If the admin was already on the outs with management, perhaps I would tell management. But this was a well-respected admin. Reporting it to management would put me in a situation where my team might consider me a snitch. Also, would management really care to discipline this admin?

In my situation, I decided to not tell anybody. I simply removed the admin’s permission from the mailboxes. I also enabled auditing so that I could see exactly when mailboxes from non-owners were accessed. I then sent out an email to our sysadmin team detailing how auditing is enabled to catch anybody who might snoop into mailboxes that aren’t their own.

Thankfully this put a stop to our snooping admin without anybody getting fired, disciplined or labeled a “snitch”.

What would you do in this situation? Share your snooping admin stories below in the comments section.

Leave a Reply

Your email address will not be published. Required fields are marked *