Solved

Trying to gain control of a domain

Posted on 2004-03-27
11
491 Views
Last Modified: 2010-04-11
Hello All,
      How would I go about gaining full control of exchange, so that I can delegate control and other functions; such as moving exchange to a new system and making modifications to global catalog lists?
The problem is this; the former senior administrator assigned himself (his account) as the top of many functions of the domain & exchange. He also deleted his account from the system.
So now I am trying to gain control.

Some info: My account is a “Domain Admin” account. I can make many changes, so I am sure that I can get around the fact that he deleted his account, but I don’t know how.

So thank you to anyone that can help me gain control of this system.
0
Comment
Question by:weguardyou
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 8

Expert Comment

by:anil_u
ID: 10708558
Do this through Exchange System Manager.  
Go down to your Public Folder Instances and find each public folder change the permissions.
0
 
LVL 1

Author Comment

by:weguardyou
ID: 10718671
Thank you for your answers, but I am left with the fact of why can’t I delegate control of exchange to myself.  I go into the Exchange Delegation Wizard:  All that is in there is the deleted ID: example: S-1-5-21-776561741-12… and its Role is Exchange Full Administrator.
If you can provide a step by step, perhaps that would be more helpful for me.
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 
LVL 1

Author Comment

by:weguardyou
ID: 10718729
Even in the public folders when I attempt to remove that deleted user’s system id. Example: S-1-5-21-776561741-12…  I get a security message saying I can’t remove it because it’s inheriting the permission from its parent.
That’s all good to know, but then again I don’t have the option to uncheck it from inheriting permissions in this area.  Again I am confused.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10720660
Have you tried taking ownership of the root?

properties> Security >advanced >ownership
0
 
LVL 1

Author Comment

by:weguardyou
ID: 10724002
You say “take ownership of “root”.
Root of what?
Please elaborate more if at all possible
0
 
LVL 2

Accepted Solution

by:
ccallison earned 500 total points
ID: 10729404
You've got a BIG problem.  Use this article to fix the problem:  

http://support.microsoft.com/default.aspx?scid=kb;en-us;296487&Product=exch2k

Once you've got control back you should, at the very least, create two new security groups - one for Exchange Full Administrators and one for Exchange View-only Administrators.  You don't even have to populate them for now.  Just open the Exchange System Manager and delegate at the top level to these two groups.  That should have been the first thing that was done the last time.

Be careful.  If your former employee was stupid enough to install Exchange using his own account instead of a service account, then you may find more fun problems later on.
0
 
LVL 1

Author Comment

by:weguardyou
ID: 10733574
That last answer was great… and helpful to a point so a awarded the credit to you for that.
My dilemma still remains: I follow the steps as per the link from Microsoft and what I get at the end is an “error”.  
It says:            Failed to grant permission of DOMAIN\user on this object:
/dc=com/dc=DOMAIN/cn=Configuration/cn=Service/cn=Microsoft Exchage

So I am still suck…
0
 
LVL 2

Expert Comment

by:ccallison
ID: 10736660
I don't know if you suck, but you are definitely still "stuck"! <g>

If you followed the Q-note and performed the ADSI editing as noted, you should be able to wrest control.

Are you sure that the account you are using has Schema Admin and Enterprise Admin rights?  You've GOT to have those to do this work.  You should make sure that you add your own account and the new E2K service account to those groups and let those rights replicate before performing this work.  If you have multiple DC's, are you sure that they are replicating properly?
0
 
LVL 1

Author Comment

by:weguardyou
ID: 10741147
My account has the following listed:
It’s a member of:
      Administrators, BackOffice Internet Users, Domain Admins, Domain Internet Users, Domain Users, Enterprise Admins, Group Policy Creator Owners, Schema Admins
I am sure this should cover all the rights I should need. Yet it still does not.
I am waiting for a complete 24 hours to pass to re/try the last steps to see if that will work.
0
 
LVL 3

Expert Comment

by:cmsJustin
ID: 10793716
Is it possible that you have a deny in the Domain Users or Domain Internet Users group that is preventing you from doing certain things?
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month3 days, 23 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question