Domain Admin with limited rights to Exchange?
I'm newly in charge of a server with a small administrative team. We have a pretty basic setup - just a single Windows Server 2008 file server and an Exchange 2007 server in our domain. All of the IT staff has a superuser account that's a member of the Domain Admins group. We're definitely not doing anything new or complicated with the server's setup.However, my supervisor has requested that not all the staff be able to grant access to view another user's email account. I've found that the relevant permissions are related to Exchange Organization Admins versus Exchange Receipient Admins - some need to be one, some the other. However, I can't figure out where this is set. I tried tracing the group memberships for Domain Admins and Exchange Organization Admins, but I couldn't find where they related to each other. I'm hoping there's just something simple I'm overlooking - any idea what that might be? What would I have to change so that Domain Admins aren't automatically Exchange Organization Admins? It'd be easy enough to add them manually to the right group.
March 17th, 2010 10:35pm
Ultimately what you need to do take everyone out of Domain
Admins and grant them granular rights that enable them to do only the tasks they
need to do, and keep them out of the OU that contains the Exchange permissions
groups, and ensure that they don't have specifically granted rights to Exchange,
that they get their rights strictly through gropus. You'll need to change
the password for Domain Admins to something nobody (including you!) knows and
stick it in a sealed envelope in a safe. (Two is better.) This will
be a complicated task that will ultimately make your entire organization a
lot more secure, if somewhat more complicated to manage.--
Ed Crowley MVP"There are seldom good technological solutions to
behavioral problems.".
"Rumbleroar" wrote in message news:7569bed6-603a-41fe-a6b9-fe5ca35c0979...
I'm newly in charge of a server with a small administrative team. We have a
pretty basic setup - just a single Windows Server 2008 file server and an
Exchange 2007 server in our domain. All of the IT staff has a superuser
account that's a member of the Domain Admins group. We're definitely not doing
anything new or complicated with the server's setup.However, my
supervisor has requested that not all the staff be able to grant access
to view another user's email account. I've found that the relevant permissions
are related to Exchange Organization Admins versus Exchange Receipient Admins
- some need to be one, some the other. However, I can't figure out where this
is set. I tried tracing the group memberships for Domain Admins and Exchange
Organization Admins, but I couldn't find where they related to each other. I'm
hoping there's just something simple I'm overlooking - any idea what that
might be? What would I have to change so that Domain Admins aren't
automatically Exchange Organization Admins? It'd be easy enough to add them
manually to the right group.
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
March 18th, 2010 12:09am