Dear all, We have windows 2008 server 64Bit and domain controller it is working fine . Another server Exchange server 2007 64 bit. it is working fine. i have created some groups in my domain like IT IT users have member of domain Admin . All IT users they have exchange mail Box. every users they have modified exchange member groups add and delete member . how can i stop ? they don't want to change add and modify exchange server member . Regards Subash

On Thu, 19 Jul 2012 08:30:04 +0000, Suriya Subash wrote: >We have windows 2008 server 64Bit and domain controller it is working fine . Another server Exchange server 2007 64 bit. it is working fine. i have created some groups in my domain like IT > >IT users have member of domain Admin . All IT users they have exchange mail Box. every users they have modified exchange member groups add and delete member . how can i stop ? they don't want to change add and modify exchange server member . Are you worried about them using Outlook to change the group membership? That's really of no consequence since they can just use the Active Directory Users and Computers (or ADSIEDIT or LDP.exe or ADSI, or LDIFDE, or any number of other tools) to make the same alteration. They're domain administrators. If you can't trust them then they shouldn't be domain administrators. Any changes you make they can simply undo. This is also an AD problem, not an Exchange problem. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Dear Boss, Thanks for replay my msg , i don't want to disturb to my domain controller . is it possible to restrict from exchange server ? Advance Thanks Subash

On Thu, 19 Jul 2012 14:43:48 +0000, Suriya Subash wrote: >Thanks for replay my msg , i don't want to disturb to my domain controller . is it possible to restrict from exchange server ? No. Your Domain Admins have "Full Control" on the objects in the AD and that's where groups are located. As I said before, this isn't an Exchange problem it's one of managing expectations. If you don't want them changing things in Outlook then give theam each another account (e.g. "adminUserName") and make that account a member of Domain Admins, then take their "normal" account out of the domain admins group and then set the adminCount property on the "normal" account to zero. If you skip this step you'll find that permission inheritance is blocked on the accounts. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Dear Boss, Sorry for the delay . i want to out of station . i come to the point . your idea is good . But those member like branch support engg . some thime thay want to log-in remote branch server and install some software . delete some unwanted software and files . how can i give the permission from my domain . Regards Subash

On Tue, 24 Jul 2012 09:31:16 +0000, Suriya Subash wrote: >Sorry for the delay . i want to out of station . i come to the point . your idea is good . But those member like branch support engg . some thime thay want to log-in remote branch server and install some software . delete some unwanted software and files . how can i give the permission from my domain . How did you give permission to the account they're using now? Do the same thing with their new "admin" account. Again, not an Exchange problem. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Dear Boss, Thanks for replay my msg. i gave the permission of them domain user and Domain Admin also remote desktop . Regrds Subash