I would always create a service-specific (Atempo, Blackberry, GFM, Symantec, etc) account that is not a Domain Admin but is an Administrator. Then I would provide the rights mentioned here.
So, once you do that then you can go to Services and provide the service with an account to fire up as (eg – AtempoAdmin). Then make sure this key is in the registry (according to which SP you have it might not be) HKEY_CURRENT_USERSoftwareMicrosoftExchange EXAdminShowSecurityPage DWORD value =1 Then fire up Exchange System Manager, click on the Organization, click on the Admin Group and then your group and then properties for it. Then you’ll notice that nice security tab. There, click on your service-specific group/user and allow access to the mailboxes for the service account. I would also enable audit tracking for all login events for that server so that any time that service account logs in it will get tracked. Non-repudiation.