Exchange Admin
Discussion
thanks fellas..
right well this is the situation, and before you all start laughing at this setup, i didnt do it, im merely trying to pickup the pieces..
Ok previous fella in charge of Exchange has it setup so that Domain Admins are inherited to all mailboxes and other stuff, so effectively they have the same priviliges as the Exchange Admin service account!
Which is a big problem as all domain admins can if they so choose/realise sniff anyones mailboxes, edit permissions etc etc
Which did happen last week and that person got the sack today, so im trying to prevent it happening again.
There will only be a couple of people that i want to be able to use Exchange Admin, so what is the best practice setup?
Im one of these people, but still new to Ex Admin, im currently a domain admin, so dont want to remove this group until i know i can get back into..
Should i just add my own NT account and whoever else? or should i create a group and then assign a Role Type to the group, if so what is the best role to assign?
hope this makes sense..
Danny.
right well this is the situation, and before you all start laughing at this setup, i didnt do it, im merely trying to pickup the pieces..
Ok previous fella in charge of Exchange has it setup so that Domain Admins are inherited to all mailboxes and other stuff, so effectively they have the same priviliges as the Exchange Admin service account!
Which is a big problem as all domain admins can if they so choose/realise sniff anyones mailboxes, edit permissions etc etc
Which did happen last week and that person got the sack today, so im trying to prevent it happening again.
There will only be a couple of people that i want to be able to use Exchange Admin, so what is the best practice setup?
Im one of these people, but still new to Ex Admin, im currently a domain admin, so dont want to remove this group until i know i can get back into..
Should i just add my own NT account and whoever else? or should i create a group and then assign a Role Type to the group, if so what is the best role to assign?
hope this makes sense..
Danny.
did you create a Global group, or a local one on the Exchange server? im thinking if its a global group then if other Dom Admins get wind of it they can just stick themselves into if if they chose to..
its all very arsey i know but i need to lock this down pretty tight at the moment..
its all very arsey i know but i need to lock this down pretty tight at the moment..
did you create a Global group, or a local one on the Exchange server? im thinking if its a global group then if other Dom Admins get wind of it they can just stick themselves into if if they chose to..
its all very arsey i know but i need to lock this down pretty tight at the moment..
its all very arsey i know but i need to lock this down pretty tight at the moment..
I don' remember which it was.... and then only exchange box I have now is at home to play with, so I have god rights, and if I stuff it up, I answer to me 
and I'm quite forgiving when it comes to me.
on this box the group is a global group, with a group type of "security"
seriously.... if it needs securing that tightly, I'd remove that level of access. this means you'd have to log on to the server as administrator to do some things, and you can't tell which of your admins knows the password, which brings us back to a group, and auditing for the potential witch hunts.
and I'm quite forgiving when it comes to me. on this box the group is a global group, with a group type of "security"
seriously.... if it needs securing that tightly, I'd remove that level of access. this means you'd have to log on to the server as administrator to do some things, and you can't tell which of your admins knows the password, which brings us back to a group, and auditing for the potential witch hunts.
So youre a domain admin? Are you the main sys admin too or have you just been 'promoted' from domain admin to exchange admin?
If youre sys admin it sounds like you need to sit down and have a careful think about who has access to what. If you're taking over from someone else as sys admin I'd check every group and user to see what rights they have and draw up a new security policy from scratch.
Its easy enough to remove rights to mailboxes.
Just go into Exchange System Manager, Navigate to the mailbox store, and go into Security on the properties page.
However, if youre only a domain admin (I dont know for sure without checking and I'm not in front of my servers) you dont have full control of the mailbox and so may not be able to assign/remove security rights anyway. By default Domain Admins have R/W/E/D permissions in exchange mailboxes, it wasnt your predecessor who set it up like that. Domain admins are pretty powerful, it sounds like you need to remove people from the domain admin account rather than change the Domain admin permissions.
If youre sys admin it sounds like you need to sit down and have a careful think about who has access to what. If you're taking over from someone else as sys admin I'd check every group and user to see what rights they have and draw up a new security policy from scratch.
Its easy enough to remove rights to mailboxes.
Just go into Exchange System Manager, Navigate to the mailbox store, and go into Security on the properties page.
However, if youre only a domain admin (I dont know for sure without checking and I'm not in front of my servers) you dont have full control of the mailbox and so may not be able to assign/remove security rights anyway. By default Domain Admins have R/W/E/D permissions in exchange mailboxes, it wasnt your predecessor who set it up like that. Domain admins are pretty powerful, it sounds like you need to remove people from the domain admin account rather than change the Domain admin permissions.
I just checked on my servers and Domain Admins are explicity denied full control access to mailboxes in the security properties of the information store by default. This has obviously been changed on your server. So provided you are the holder of the Administrator account all you have to do is deny certain permissions for Domain Admins, e.g deny 'full control' and 'change permissions' etc.
Just go to security of the mailbox store, click advanced and set up the correct rules for Domain admins.
Just go to security of the mailbox store, click advanced and set up the correct rules for Domain admins.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff