How to allow only certain users to access the Exchange Server Information Store?

The Exchange server information store be default allows all users to connect. There are some scenarios when the administrator wants to connect to the server and verify things, without having the end users connecting to the server. This is a typical requirement post maintenance, when an administrator wants to check the functionality of the server, but at the same time he does not wants any user to connect to the server. This can be done using the methods below:

1) Getting the LegacyExchangeDN attribute of the user to whom access needs to be given
2) Restricting access only to that user from the registry

We will see below how to do the above steps:

1) Getting the LegacyExchangeDN attribute of the user to whom access needs to be given.

LegacyExchangeDN attribute for the user can be obtained by using the ADSIEdit.exe or LDP.exe to run a LDAP query against the Active Directory.

2) Restricting access only to that user from the registry

1. Run the Windows NT Registry Editor (REGEDT32, not REGEDIT).

2. Locate the HKLM\System\CurrentControlSet\Services\MExchangeIS\ParametersSystem Registry key.

3. Select Edit Add Value, type Logon Only As, and select REG_DWORD in the Data Type box.
4. Enter 0 to allow anyone to access the Information Store or enter 1 to block access to the Information Store.

5. Create another Registry value by choosing Edit Add Value, type Trace User LegacyDN, and select REG_SZ in the Data Type box.

6. In the Data box that appears, enter the legacyExchangeDN of the mailbox that will be allowed to access the server. If you leave this box empty, no one will be able to access the server. The DN should be in the following format:

/O=Domain/OU=Sales/CN=Recipients/CN=Mathew

7. Stop and restart the Information Store service for the change to take effect.