Full permission rights granted to rogue account
Looks like the previous admin set himself up to have access to all mailboxes by default. Poor admin practises in my opinion.
Any number of ways that could have been done. It is probably being done with inheritance, so the permission has been set at the top of the tree somewhere. Have you looked in ADUC at the domain itself, or the OUs to see if the permission is being granted
in there?
You need to find where it is being inherited from. It was probably set in Exchange 2003 days and the permission has come across, so that is most likely at the domain level rather than something in Exchange.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
February 28th, 2012 2:54am
Lepivert, Sembee is correct, the problem with deleting the old admin account is tht the OldAdmin now becomes a rogue SID instead, still giving you the same mess.
But, I did get this resolved.
The correct answer, as it turns out, was to use ADSIEdit, and then had to drill all the way down to:
CN=Configuration, DC=MyDomain, DC-com ->CN=Services ->CN=Microsoft Exchange->CN=First Organization->CN=Echange Administrative Group->CN=Servers->CN=Server01 (Server02, etc)
Then open properties on each server (I had two DB servers), click the security tab, and remove the offending Old Admin. This was a bit messier than post I referenced to earlier, but in practice, the same/similar solution.
Thanks folks,
James
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2012 10:38am
Ok Folks,
I have been banging around for the better part of the day here reading everything in site to get this resolved. Have an old admin account that every time a new account is created, this old admin account gets put in as Full Access permissions.
I've gone through (amongst many others) this article:
Change Default Security Principal and when I ran the command: get-mailboxdatabase |get-adpermission |fl >> c:\adlist.txt I can see the user listed at many of the DB's I have.
What is the best way to get rid of this? I did attempt the part of ADSIEdit, but did not find the account in there. Here is a snippet of what the above command produces:
User : MYDOMAIN\OldAdmin
Identity : TBEX02\First Storage Group\Corporate
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-Store-Admin}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
I attempted the (modified) command of
get-mailboxdatabase | remove-ADPermission -user "MYDOMAIN\OldAdmin" -accessrights genericall
but that just produced errors primarily like this:
Remove-ADPermission : Cannot remove ACE on object "CN=Mailbox Database7,CN=Third Storage Group,CN=InformationStore,CN=TBEX02,CN=Servers,CN=
Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configu
ration,DC=MYDOMAIN,DC=com" for account "MYDOMAIN\OldAdmin" because it is not present.
At line:1 char:42
+ get-mailboxdatabase | remove-ADPermission <<<< -user "MYDOMAIN\OldAdmin" -accessrights genericall
+ CategoryInfo : InvalidOperation: (11:Int32) [Remove-ADPermission], InvalidOperationException
+ FullyQualifiedErrorId : 77B4CDDB,Microsoft.Exchange.Management.RecipientTasks.RemoveADPermission
Any suggestions?
Thanks,
James
February 28th, 2012 5:28pm
Have an old admin account that every time a new account [new MAILBOX?] is created, this old admin account gets put in as Full Access permissions.
So if you create a brand new account (mailbox?), right now, instead of the (normal) single NTAuthority\SELF permission on the mailbox, you have that AND the old admin?
Otherwise... why not delete the old admin account?
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2012 6:47pm
Looks like the previous admin set himself up to have access to all mailboxes by default. Poor admin practises in my opinion.
Any number of ways that could have been done. It is probably being done with inheritance, so the permission has been set at the top of the tree somewhere. Have you looked in ADUC at the domain itself, or the OUs to see if the permission is being granted
in there?
You need to find where it is being inherited from. It was probably set in Exchange 2003 days and the permission has come across, so that is most likely at the domain level rather than something in Exchange.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
February 28th, 2012 7:00pm
Otherwise... why not delete the old admin account?
Something I learnt a long time ago - never ever delete the account of a former admin. Strip its permissions, change the password, but don't delete it. You never know where the former admin has used their own account. Manage the network as if the previous
admin was a complete idiot who didn't know what they were doing and trust nothing.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2012 7:02pm