Solved

Best practice for Exchange Administration Delegation

Posted on 2008-10-31
3
645 Views
Last Modified: 2012-08-14
I'm reading about DST patch applied to the Exchange Server 2003 and how it can cause the mailbox store to unmount among other things. I'm reading that control should be delegated to a non-ambiguous user. I'm on the mail server where it was instructed I should go to the server, right-click and choose delegate control which brings up the Exchange Administration Delegation Wizard. The two accounts I see there are these:

<domain-name>\Administrator
<domain-name>\Backup

I have two questions. I see this entry on the MS page of unacceptable SID's:

SID: S-1-5-domain-500
Name: Administrator
Description: A user account for the system administrator. By default, it is the only user account that is given full control over the system.

I'm guessing this is the \Administrator account I see listed. Is it?

My other question if it is. If I remove it and assign a newly created specialized group for control and add this account to the group, will I be in the clear as far as avoiding this problem?

Oh, and is there anything else I should consider before making this move?

 
0
Comment
Question by:numb3rs1x
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 5

Expert Comment

by:madhusk
ID: 22857197
Hi,

You have 3 types of Accesses
1.Exchange Full Admistrator
2.Exchange Administrator
3.Exchange View Only Administrator.

Exchange Full Administrator will have Exchange Organisation wide full control.
Exchange Administrator role best suits for day to day operations.
Exchange View only Administrators can only view all the objects.

Regards,
Madhu
0
 
LVL 5

Expert Comment

by:madhusk
ID: 22857217
The following link gives you the best picture of the Access types.

http://www.msexchange.org/articles/Understanding-Exchange-Access-Control-Administrative-Delegation.html

Regards,
Madhu
0
 

Accepted Solution

by:
numb3rs1x earned 0 total points
ID: 22927459
I answered my own question by running the update and therefore updating the store file. My mailbox store did not unmount after I applied the update, so the domain administrator account is not one of the accounts they mention as having a generic SID.

0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question