• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 333
  • Last Modified:

Exchange 2003 inherit security

where does exchange inherit security from?  I see a bunch of security that shouldn't be in my security tab and I cannot delete it because it inherits security from a level above.  I don't not want to turn off inherit I want to fix the top level?
0
darovitz
Asked:
darovitz
  • 6
  • 3
  • 3
  • +1
2 Solutions
 
SembeeCommented:
Various places.
Org, Delegate Wizard, Domain.

First place to look is the Delegate Control Wizard.
Then look at the security tab on the Properties of the org.
You may also want to look at the domain.

Be very careful with Exchange permissions. Permissions that appear to be wrong are not and removing them can cause problems with the org. The classic case is people trying to remove the "Everyone" permission and locking themselves out of the org.

Simon.
0
 
darovitzAuthor Commented:
Ok..  I am looking more at individual users in this security.  I don't think I want them there.. expecially ones that no longer work in the organization.
0
 
SembeeCommented:
Delegate Control wizard is the first place to look then.

Simon.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
darovitzAuthor Commented:
I removed the account there but there is still one of those unknown accounts showing up...
0
 
darovitzAuthor Commented:
Here is a better question.  Who is suppose to be the owner of the exchange organization.  I have a renamed account and I don't know which owener it is suppose to be now...
0
 
SembeeCommented:
The main account of the Exchange org is the one that was used to install it. I usually suggest using THE administrator account to install and then you don't get problems later on.

To get access to the org level permissions.

In ESM, right click on the Exchange org and choose Properties. You should see a security tab. If you don't, then you need to enable it.

In the registry, go to Hkey_Current_User, Software,  Microsoft, Exchange, ExAdmin.

Create a new Dword Value of "ShowSecurityPage" and give it a value of 1.

Restart ESM.

Simon.
0
 
darovitzAuthor Commented:
I see the security and the owner is an account called Justan Kace.  So I am guessing that this is the administrator account renamed.  That is what I am trying to figure out.  I hate when predessors rename system accounts and don't leave a note or something.  I actually disabled that account last week thinking it was a back door account or something.  When I saw it was the owner of exchange I decided to enable it again.  Is there anyway for me to know that it is the administrator account?  I want to rename it back to administrator if it is...
0
 
Hypercat (Deb)Commented:
The administrator account is renamed through a security policy.  Go to the Domain Controllers Security Policy and open it to the Security Options object.  One of the security options is "Rename Administrator account" and you'll see it there if it's been changed.

Hope this helps!

Deb
0
 
VahikCommented:
just a simple note: renamimg account does not change its SID....for doamin admins look for SID 500

this comment should not be considered for garding since folks who commented have already given the correct answers.
0
 
darovitzAuthor Commented:
Where is the domain controllers security policy so I can find "rename administrator account".
0
 
Hypercat (Deb)Commented:
You can use the Group Policy Management console, or if that's not installed, you can go to Start/Run, type mmc to create a new management console.  Then, go to Add/Remove Snap-in, and add the Group Policy snap-in. When you add the snap-in, it allows you to specify what policy you want to administer - select the Default Domain Controller policy.

Back to your original question about Exchange security.  Exchange security is set in the Exchange System Manager in the properties of the organization, site, server or information store.  This is where it is inherited from. Then, when you create a mailbox, it inherits those settings, plus the mailbox user is added with the appropriate user rights.

Hope this helps!
0
 
darovitzAuthor Commented:
Thanks hypercat but I already have the snap in.  And I know how inheritance is performed.  I just don't know where the top level is...  I have tons of accounts in my security tab.  I managed to take off one user in the delegate contrl wizard but it seems as if I have double accounts.. meaning the same accounts in there twice and a few of those s-787897-00001 (made up the number).

0
 
Hypercat (Deb)Commented:
I guess I wasn't clear enough - what I was trying to do was answer that question.  The top level is the Exchange organization.  So, if you open the ESM and look at the security settings on the organization object, you are looking at the top level of security for Exchange.  My guess is that various previous admins have edited settings at different levels of the organization and that's why you have such a mess.

Also, of you're not aware of this, those accounts that are showing up with just a SID and no name are usually deleted user accounts.

Deb
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 6
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now