Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2003 inherit security

Posted on 2006-11-17
15
Medium Priority
?
327 Views
Last Modified: 2010-03-06
where does exchange inherit security from?  I see a bunch of security that shouldn't be in my security tab and I cannot delete it because it inherits security from a level above.  I don't not want to turn off inherit I want to fix the top level?
0
Comment
Question by:darovitz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
  • +1
15 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 1000 total points
ID: 17969349
Various places.
Org, Delegate Wizard, Domain.

First place to look is the Delegate Control Wizard.
Then look at the security tab on the Properties of the org.
You may also want to look at the domain.

Be very careful with Exchange permissions. Permissions that appear to be wrong are not and removing them can cause problems with the org. The classic case is people trying to remove the "Everyone" permission and locking themselves out of the org.

Simon.
0
 

Author Comment

by:darovitz
ID: 17969427
Ok..  I am looking more at individual users in this security.  I don't think I want them there.. expecially ones that no longer work in the organization.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17969430
Delegate Control wizard is the first place to look then.

Simon.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:darovitz
ID: 17969596
I removed the account there but there is still one of those unknown accounts showing up...
0
 

Author Comment

by:darovitz
ID: 17969612
Here is a better question.  Who is suppose to be the owner of the exchange organization.  I have a renamed account and I don't know which owener it is suppose to be now...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17969685
The main account of the Exchange org is the one that was used to install it. I usually suggest using THE administrator account to install and then you don't get problems later on.

To get access to the org level permissions.

In ESM, right click on the Exchange org and choose Properties. You should see a security tab. If you don't, then you need to enable it.

In the registry, go to Hkey_Current_User, Software,  Microsoft, Exchange, ExAdmin.

Create a new Dword Value of "ShowSecurityPage" and give it a value of 1.

Restart ESM.

Simon.
0
 

Author Comment

by:darovitz
ID: 17969705
I see the security and the owner is an account called Justan Kace.  So I am guessing that this is the administrator account renamed.  That is what I am trying to figure out.  I hate when predessors rename system accounts and don't leave a note or something.  I actually disabled that account last week thinking it was a back door account or something.  When I saw it was the owner of exchange I decided to enable it again.  Is there anyway for me to know that it is the administrator account?  I want to rename it back to administrator if it is...
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 17970491
The administrator account is renamed through a security policy.  Go to the Domain Controllers Security Policy and open it to the Security Options object.  One of the security options is "Rename Administrator account" and you'll see it there if it's been changed.

Hope this helps!

Deb
0
 
LVL 26

Expert Comment

by:Vahik
ID: 17970924
just a simple note: renamimg account does not change its SID....for doamin admins look for SID 500

this comment should not be considered for garding since folks who commented have already given the correct answers.
0
 

Author Comment

by:darovitz
ID: 17991073
Where is the domain controllers security policy so I can find "rename administrator account".
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 17993228
You can use the Group Policy Management console, or if that's not installed, you can go to Start/Run, type mmc to create a new management console.  Then, go to Add/Remove Snap-in, and add the Group Policy snap-in. When you add the snap-in, it allows you to specify what policy you want to administer - select the Default Domain Controller policy.

Back to your original question about Exchange security.  Exchange security is set in the Exchange System Manager in the properties of the organization, site, server or information store.  This is where it is inherited from. Then, when you create a mailbox, it inherits those settings, plus the mailbox user is added with the appropriate user rights.

Hope this helps!
0
 

Author Comment

by:darovitz
ID: 17996615
Thanks hypercat but I already have the snap in.  And I know how inheritance is performed.  I just don't know where the top level is...  I have tons of accounts in my security tab.  I managed to take off one user in the delegate contrl wizard but it seems as if I have double accounts.. meaning the same accounts in there twice and a few of those s-787897-00001 (made up the number).

0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 1000 total points
ID: 17996776
I guess I wasn't clear enough - what I was trying to do was answer that question.  The top level is the Exchange organization.  So, if you open the ESM and look at the security settings on the organization object, you are looking at the top level of security for Exchange.  My guess is that various previous admins have edited settings at different levels of the organization and that's why you have such a mess.

Also, of you're not aware of this, those accounts that are showing up with just a SID and no name are usually deleted user accounts.

Deb
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question