Hi All,I'm on my way to make the AD infrastructure security changes by removing the default built-in Administrator account to make changes in my Exchange Server 2007, I've created a user called "root" who should act as "administrator" and removing the built-in Administrator from the default group.is there any way to do that in Exchange Server 2007 ? I also attached the list of the Exchange Admin. group FYI.any comments would be greatly appreciated. Thanks.==============================Identity Scope Role-------- ----- ----domain.com/Users/root Organization wide OrgAdmindomain.com/Users/Administrator Organization wide OrgAdmindomain.com/Users/root Organization wide RecipientAdmindomain.com/Microsoft Exchange Security.. Groups Organization wide RecipientAdmindomain.com/Users/Administrator Organization wide RecipientAdmindomain.com/Microsoft Exchange Security.. Groups Organization wide ViewOnlyAdmindomain.com/Microsoft Exchange Security .. Groups Organization wide ViewOnlyAdmindomain.com/Users/Directors Organization wide PublicFolderAdmindomain.com/Users/root Organization wide PublicFolderAdmindomain.com/Microsoft Exchange Security.. Groups Organization wide PublicFolderAdmin/* Support Engineer */

If you just want to remove the Administrator from exchange administrator role, the simplest method is to use Remove-ExchangeAdministrator Per my knowledge, theres no way to remove the built-in administrator account from AD. If what you want is to rise up the security level for the environment, rename and disable the Administrator account from ADUC would be the resolution

James,you could be right, today I've removed the Administrator username from the 4 default Exchange Security group but still Administrator username can edit the distribution groups and etc...so in this case if i run that command, what would be the rollback plan if I may know ?thanks. /* Support Engineer */

If you want to add Administrator back, you may use either EMC or EMS How to Add a User or Group to an Administrator Role

Yes James, The only way i did it it was from EMC and then removing the Administrator username from these groups:Exchange Organization AdministratorsExchange Recipient AdministratorsExchange Server AdministratorsExchange View-Only AdministratorsExchange ServersExchange Public Folder Administratorsbut so far, the administrator still able to do some config. editing which is not should be. /* Support Engineer */

I assume that Administrator has been logged off one after removed the membership, right? Please check the membership in the properties of Administrator, see if we can find any relationship As I said before, remove/disable the account would be a good option

ok,from the "member Of" tab i can only find that Administrator user got "Exchange Install Domain Servers"and from the "Security" tab there are two entries listed:Exchange Recipient Administrators Exchange Serversmaybe i should remove those two entries to make the role separation to work ? /* Support Engineer */