Solved

Exchange 2003 inherit security

Posted on 2006-11-17
15
280 Views
Last Modified: 2010-03-06
where does exchange inherit security from?  I see a bunch of security that shouldn't be in my security tab and I cannot delete it because it inherits security from a level above.  I don't not want to turn off inherit I want to fix the top level?
0
Comment
Question by:darovitz
  • 6
  • 3
  • 3
  • +1
15 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 17969349
Various places.
Org, Delegate Wizard, Domain.

First place to look is the Delegate Control Wizard.
Then look at the security tab on the Properties of the org.
You may also want to look at the domain.

Be very careful with Exchange permissions. Permissions that appear to be wrong are not and removing them can cause problems with the org. The classic case is people trying to remove the "Everyone" permission and locking themselves out of the org.

Simon.
0
 

Author Comment

by:darovitz
ID: 17969427
Ok..  I am looking more at individual users in this security.  I don't think I want them there.. expecially ones that no longer work in the organization.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17969430
Delegate Control wizard is the first place to look then.

Simon.
0
 

Author Comment

by:darovitz
ID: 17969596
I removed the account there but there is still one of those unknown accounts showing up...
0
 

Author Comment

by:darovitz
ID: 17969612
Here is a better question.  Who is suppose to be the owner of the exchange organization.  I have a renamed account and I don't know which owener it is suppose to be now...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17969685
The main account of the Exchange org is the one that was used to install it. I usually suggest using THE administrator account to install and then you don't get problems later on.

To get access to the org level permissions.

In ESM, right click on the Exchange org and choose Properties. You should see a security tab. If you don't, then you need to enable it.

In the registry, go to Hkey_Current_User, Software,  Microsoft, Exchange, ExAdmin.

Create a new Dword Value of "ShowSecurityPage" and give it a value of 1.

Restart ESM.

Simon.
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 

Author Comment

by:darovitz
ID: 17969705
I see the security and the owner is an account called Justan Kace.  So I am guessing that this is the administrator account renamed.  That is what I am trying to figure out.  I hate when predessors rename system accounts and don't leave a note or something.  I actually disabled that account last week thinking it was a back door account or something.  When I saw it was the owner of exchange I decided to enable it again.  Is there anyway for me to know that it is the administrator account?  I want to rename it back to administrator if it is...
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 17970491
The administrator account is renamed through a security policy.  Go to the Domain Controllers Security Policy and open it to the Security Options object.  One of the security options is "Rename Administrator account" and you'll see it there if it's been changed.

Hope this helps!

Deb
0
 
LVL 26

Expert Comment

by:Vahik
ID: 17970924
just a simple note: renamimg account does not change its SID....for doamin admins look for SID 500

this comment should not be considered for garding since folks who commented have already given the correct answers.
0
 

Author Comment

by:darovitz
ID: 17991073
Where is the domain controllers security policy so I can find "rename administrator account".
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 17993228
You can use the Group Policy Management console, or if that's not installed, you can go to Start/Run, type mmc to create a new management console.  Then, go to Add/Remove Snap-in, and add the Group Policy snap-in. When you add the snap-in, it allows you to specify what policy you want to administer - select the Default Domain Controller policy.

Back to your original question about Exchange security.  Exchange security is set in the Exchange System Manager in the properties of the organization, site, server or information store.  This is where it is inherited from. Then, when you create a mailbox, it inherits those settings, plus the mailbox user is added with the appropriate user rights.

Hope this helps!
0
 

Author Comment

by:darovitz
ID: 17996615
Thanks hypercat but I already have the snap in.  And I know how inheritance is performed.  I just don't know where the top level is...  I have tons of accounts in my security tab.  I managed to take off one user in the delegate contrl wizard but it seems as if I have double accounts.. meaning the same accounts in there twice and a few of those s-787897-00001 (made up the number).

0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 250 total points
ID: 17996776
I guess I wasn't clear enough - what I was trying to do was answer that question.  The top level is the Exchange organization.  So, if you open the ESM and look at the security settings on the organization object, you are looking at the top level of security for Exchange.  My guess is that various previous admins have edited settings at different levels of the organization and that's why you have such a mess.

Also, of you're not aware of this, those accounts that are showing up with just a SID and no name are usually deleted user accounts.

Deb
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now