During an audit you find out that one or multiple admins have full access to everyone's mailbox in the organisation. You can make sure this happens by creating a test mailbox and checking the rights.
The only likely explanation I can find is that when an admin installs new CU updates, it changes the database persmissions configuring it in a way that the admin gets full access.
Because of this, every mailbox that is created in that database will inherit the full access permissions from it.
You can try removing the admin from the database using the Exchange Management Shell with this command:
Get-MailboxDatabase | Get-ADPermission -User Domain\UserName | Remove-ADPermission -AccessRights GenericAll -InheritanceType All -Confirm:$false
However, if you get an error that it is not possible, then most likely the database is inheriting the permissions from somewhere else and you need to delete it there.
- Logon to your Domain Controller and start ADSI Edit
- Right click on ADSI edit > Connect to...
- Select Select a well known Naming Context: and set it to Configuration and then click on Ok
- Expand all the way to the following: CN=Services > CN=Microsoft Exchange > CN=<domain name> > CN=Administrative Groups > CN=Exchange Administrative Group
- On the right window you will see CN=Database, right click on it > Properties > Security
Check if your admin user is in the list, try and delete it. If you get inherited errors, then you need to go back one step in the tree and do the same thing untill you reach the root CN=Microsoft Exchange
Once you have found the root of the persmissions, you can delete the user from the list. - If you go back to the Exchange server and run the following in the Exchange Management Shell
Get-MailboxDatabase "<Database name>" | Get-ADPersmission
You will see the admin user is no longer listed