The correct answer to your question would depend on the specifics of your environment. It is possible to access exchange email data in an AD environment without knowing the PW. It’s also possible for root to read mail on a vanilla UNIX system.

The legal boundaries vary with the jurisdiction you are in – some all but forbid looking, some jurisdictions set quidelines as to who has a reasonable expectation of privacy and/or when a domain owner or his agent can reasonably breach an account holder’s privacy. Some jurisdictions don’t even require constructive notice that you have no presumption of privacy on a system you don’t own.

That said, there is the ethical question of whether you SHOULD look. If there isn’t some damn good reason you should probably keep out. Your policies should clearly state under what conditions IT will look at email, make someone (HR or high management) explicitly tell you they believe the looking is within the policy. Keep in mind that it could be your backside in the defendant’s chair irrespective of the merit of any suit brought.

If you’re a worker bee and The Boss is insisting, I’d get the boss on record as indemnifing you for following through with his request. Again, it could be your backside and even a quick dismissal when you finally get before the judge can put a huge dent in your wallet.

-PG