?
Solved

Exchange 2003 inherit security

Posted on 2006-11-17
15
Medium Priority
?
321 Views
Last Modified: 2010-03-06
where does exchange inherit security from?  I see a bunch of security that shouldn't be in my security tab and I cannot delete it because it inherits security from a level above.  I don't not want to turn off inherit I want to fix the top level?
0
Comment
Question by:darovitz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
  • +1
15 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 1000 total points
ID: 17969349
Various places.
Org, Delegate Wizard, Domain.

First place to look is the Delegate Control Wizard.
Then look at the security tab on the Properties of the org.
You may also want to look at the domain.

Be very careful with Exchange permissions. Permissions that appear to be wrong are not and removing them can cause problems with the org. The classic case is people trying to remove the "Everyone" permission and locking themselves out of the org.

Simon.
0
 

Author Comment

by:darovitz
ID: 17969427
Ok..  I am looking more at individual users in this security.  I don't think I want them there.. expecially ones that no longer work in the organization.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17969430
Delegate Control wizard is the first place to look then.

Simon.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:darovitz
ID: 17969596
I removed the account there but there is still one of those unknown accounts showing up...
0
 

Author Comment

by:darovitz
ID: 17969612
Here is a better question.  Who is suppose to be the owner of the exchange organization.  I have a renamed account and I don't know which owener it is suppose to be now...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17969685
The main account of the Exchange org is the one that was used to install it. I usually suggest using THE administrator account to install and then you don't get problems later on.

To get access to the org level permissions.

In ESM, right click on the Exchange org and choose Properties. You should see a security tab. If you don't, then you need to enable it.

In the registry, go to Hkey_Current_User, Software,  Microsoft, Exchange, ExAdmin.

Create a new Dword Value of "ShowSecurityPage" and give it a value of 1.

Restart ESM.

Simon.
0
 

Author Comment

by:darovitz
ID: 17969705
I see the security and the owner is an account called Justan Kace.  So I am guessing that this is the administrator account renamed.  That is what I am trying to figure out.  I hate when predessors rename system accounts and don't leave a note or something.  I actually disabled that account last week thinking it was a back door account or something.  When I saw it was the owner of exchange I decided to enable it again.  Is there anyway for me to know that it is the administrator account?  I want to rename it back to administrator if it is...
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 17970491
The administrator account is renamed through a security policy.  Go to the Domain Controllers Security Policy and open it to the Security Options object.  One of the security options is "Rename Administrator account" and you'll see it there if it's been changed.

Hope this helps!

Deb
0
 
LVL 26

Expert Comment

by:Vahik
ID: 17970924
just a simple note: renamimg account does not change its SID....for doamin admins look for SID 500

this comment should not be considered for garding since folks who commented have already given the correct answers.
0
 

Author Comment

by:darovitz
ID: 17991073
Where is the domain controllers security policy so I can find "rename administrator account".
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 17993228
You can use the Group Policy Management console, or if that's not installed, you can go to Start/Run, type mmc to create a new management console.  Then, go to Add/Remove Snap-in, and add the Group Policy snap-in. When you add the snap-in, it allows you to specify what policy you want to administer - select the Default Domain Controller policy.

Back to your original question about Exchange security.  Exchange security is set in the Exchange System Manager in the properties of the organization, site, server or information store.  This is where it is inherited from. Then, when you create a mailbox, it inherits those settings, plus the mailbox user is added with the appropriate user rights.

Hope this helps!
0
 

Author Comment

by:darovitz
ID: 17996615
Thanks hypercat but I already have the snap in.  And I know how inheritance is performed.  I just don't know where the top level is...  I have tons of accounts in my security tab.  I managed to take off one user in the delegate contrl wizard but it seems as if I have double accounts.. meaning the same accounts in there twice and a few of those s-787897-00001 (made up the number).

0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 1000 total points
ID: 17996776
I guess I wasn't clear enough - what I was trying to do was answer that question.  The top level is the Exchange organization.  So, if you open the ESM and look at the security settings on the organization object, you are looking at the top level of security for Exchange.  My guess is that various previous admins have edited settings at different levels of the organization and that's why you have such a mess.

Also, of you're not aware of this, those accounts that are showing up with just a SID and no name are usually deleted user accounts.

Deb
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question