Exchange 2007 Best Practise results
I have run a Best practise report on our Exchange 2007 Server and need a little help with the results.
Write DACL inherit (group)
The Write DACL inherit (group) right for the Exchange Enterprise Servers group should be removed from the root of the domain.
I have followed the link (Removing the last legacy server) and as I no longer have an Exchange 2003 server, I cannot follow most of the instructions. I have run ADSIEDIT.MSC and the Recipient Update Service entry is not present. So I guess I need to run this command: Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group
But from where, my Domain Controller or from the Exchange 2007 server? I have three Exchange related objects in my Active Directory, are these valid?
Exchange Domain Servers Security Group-Global
Exchange Enterprise Server Security Group-Global
Exchange Server User
Write DACL inherit (group)
The Write DACL inherit (group) right for the Exchange Enterprise Servers group should be removed from the root of the domain.
I have followed the link (Removing the last legacy server) and as I no longer have an Exchange 2003 server, I cannot follow most of the instructions. I have run ADSIEDIT.MSC and the Recipient Update Service entry is not present. So I guess I need to run this command: Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group
But from where, my Domain Controller or from the Exchange 2007 server? I have three Exchange related objects in my Active Directory, are these valid?
Exchange Domain Servers Security Group-Global
Exchange Enterprise Server Security Group-Global
Exchange Server User
EDS and EES are for the legacy servers and Exchange Server group is the Exchange 2007 group and its fine to run the command butu just make sure if its ES or for EDS and EES.
We have to run the command from the Exchange 2007 server
ASKER
Ok, so I'll run this from the Exc 2007 server Powershell:
Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group
Just so I'm sure of the exact syntax:
dc=<domain> will change to dc=my.domain.com
Any other changes I need to make to that command line?
Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group
Just so I'm sure of the exact syntax:
dc=<domain> will change to dc=my.domain.com
Any other changes I need to make to that command line?
Nope. Powershelll will tell you if there is a syntax error.
ASKER
Actually, DC means Domain Controller not Domain, so I guess I'd put it dc=domaincontrollername, yes?
it would be the DN of your domain that you would get from ADSIEDIT
Sorry,
Correct syntax is
Remove-ADPermission "dc=<domain>,dc=<com>" -user "<domain>\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group
Correct syntax is
Remove-ADPermission "dc=<domain>,dc=<com>" -user "<domain>\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group
ASKER
Right. Must be getting the syntax wrong. I type:
Remove-ADPermission "dc=<my-domain>" -user "<Root
Domain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group
I get:
Remove-ADPermission : dc=<my-domain> was not found. Please make sure you
have typed it correctly.
At line:1 char:20
+ Remove-ADPermission <<<< "dc=<my-domain>" -user "<RootDomain>\Exchange
Servers" -AccessRights WriteDACL -InheritedObjectType Group
Remove-ADPermission "dc=<my-domain>" -user "<Root
Domain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group
I get:
Remove-ADPermission : dc=<my-domain> was not found. Please make sure you
have typed it correctly.
At line:1 char:20
+ Remove-ADPermission <<<< "dc=<my-domain>" -user "<RootDomain>\Exchange
Servers" -AccessRights WriteDACL -InheritedObjectType Group
ASKER
That's the article i was referring to.
So if :
Remove-ADPermission "dc=<domain>,dc=<com>" -user "<domain>\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group
Is the correct syntax, which entries do I need to change other than the dc=domain part. Do I Still need the <> around the entry as well?
So if :
Remove-ADPermission "dc=<domain>,dc=<com>" -user "<domain>\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group
Is the correct syntax, which entries do I need to change other than the dc=domain part. Do I Still need the <> around the entry as well?
Everything else is fine
So we have to run the command for ES.
ASKER
Still failed. This is what I enter:
Remove-ADPermission "dc=<my-domain>,dc=<com>" -user "<domain>\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group
This is the error:
Remove-ADPermission : dc=<my-domain>,dc=<com> was not found. Please make
sure you have typed it correctly.
At line:1 char:20
+ Remove-ADPermission <<<< "dc=<my-domain>,dc=<com>" -user "<domain>\
Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group
I know it's obvious, but I'm not typing My-Domain, I am putting in the name as per ADSIEDIT.MSC!
Remove-ADPermission "dc=<my-domain>,dc=<com>" -user "<domain>\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group
This is the error:
Remove-ADPermission : dc=<my-domain>,dc=<com> was not found. Please make
sure you have typed it correctly.
At line:1 char:20
+ Remove-ADPermission <<<< "dc=<my-domain>,dc=<com>" -user "<domain>\
Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group
I know it's obvious, but I'm not typing My-Domain, I am putting in the name as per ADSIEDIT.MSC!
It would be Exchange Servers and not EES or EDS
Remove-ADPermission "dc=<Domain>,dc=com" -user "<RootDomain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group
Remove-ADPermission "dc=<Domain>,dc=com" -user "<RootDomain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group
Try without the dc part
Sor remove-adpermissions -user domain\exchange servers -accessrights writedacl -inheratedobjecttype group
Sor remove-adpermissions -user domain\exchange servers -accessrights writedacl -inheratedobjecttype group
ASKER
I enter this:
remove-adpermission -user domain\exchange servers -accessrights writedacl -inheratedobjecttype group
(I removed the s form adpermission) and I get this:
Remove-ADPermission : A parameter cannot be found that matches parameter name '
inheratedobjecttype'.
At line:1 char:95
+ remove-adpermission -user domain\exchange servers -accessrights writedacl -in
heratedobjecttype <<<< group
remove-adpermission -user domain\exchange servers -accessrights writedacl -inheratedobjecttype group
(I removed the s form adpermission) and I get this:
Remove-ADPermission : A parameter cannot be found that matches parameter name '
inheratedobjecttype'.
At line:1 char:95
+ remove-adpermission -user domain\exchange servers -accessrights writedacl -in
heratedobjecttype <<<< group
Had typo
InheritedObjectType Group
InheritedObjectType Group
The parameter is
-InheritedObjectType
-InheritedObjectType
ASKER
Now I have a missing parameter.
I enter this:
remove-adpermission -user domain\exchange servers -accessrights writedacl -InheritedObjectType
And I get:
Remove-ADPermission : Missing an argument for parameter 'InheritedObjectType'.
Specify a parameter of type 'Microsoft.Exchange.Config
ectIdParameter' and try again.
At line:1 char:94
+ remove-adpermission -user domain\exchange servers -accessrights writedacl -In
heritedObjectType <<<<
I enter this:
remove-adpermission -user domain\exchange servers -accessrights writedacl -InheritedObjectType
And I get:
Remove-ADPermission : Missing an argument for parameter 'InheritedObjectType'.
Specify a parameter of type 'Microsoft.Exchange.Config
ectIdParameter' and try again.
At line:1 char:94
+ remove-adpermission -user domain\exchange servers -accessrights writedacl -In
heritedObjectType <<<<
you missed the group off the end
ASKER
So I did. I now get this:
Remove-ADPermission : There are multiple objects matching the identity "servers
". Please specify an unique value.
At line:1 char:20
+ remove-adpermission <<<< -user domain\exchange servers -accessrights writeda
cl -InheritedObjectType group
Do I need to replace the 'exchange servers ' entry with something else?
Remove-ADPermission : There are multiple objects matching the identity "servers
". Please specify an unique value.
At line:1 char:20
+ remove-adpermission <<<< -user domain\exchange servers -accessrights writeda
cl -InheritedObjectType group
Do I need to replace the 'exchange servers ' entry with something else?
Can you put the Exchange servers in double quotes
ASKER
I enter:
remove-adpermission -user domain\"exchange servers" -accessrights writedacl -InheritedObjectType group
I get the following:
cmdlet remove-adpermission at command pipeline position 1
Supply values for the following parameters:
Identity:
And it's waiting for an answer.
remove-adpermission -user domain\"exchange servers" -accessrights writedacl -InheritedObjectType group
I get the following:
cmdlet remove-adpermission at command pipeline position 1
Supply values for the following parameters:
Identity:
And it's waiting for an answer.
After the Remove-ADPermission we are not putting the "dc=<Domain>"
Try this:
remove-adpermission "dc=domain,dc=local" -user "domain\exchange servers" -accessrights writedacl -InheritedObjectType Group
remove-adpermission "dc=domain,dc=local" -user "domain\exchange servers" -accessrights writedacl -InheritedObjectType Group
ASKER
Sorry guys, but I'm getting a bit mixed up with having six different commands to enter. StevenWells what is the exact command I should be entering please? Cheers guys.
You should be able to do this:
remove-adpermission "dc=microsoft,dc=com" -user "microsoft\exchange servers" -accessrights writedacl -InheritedObjectType Group
obviously replace microsoft with your domain and com with local or what ever your full domain name is,
so if your domain is called mydomain.co.uk,
the dc command part will be
"dc=mydomain,dc=co,dc=uk" and so on.
You will then be prompted are you sure. Click Yes to continue.
I have just tried this on my test domain and the syntax is correct.
If you get the error can not remove ace because it's not present, then you don't need to run this command.
Remember, you won't break exchange!
Steve
remove-adpermission "dc=microsoft,dc=com" -user "microsoft\exchange servers" -accessrights writedacl -InheritedObjectType Group
obviously replace microsoft with your domain and com with local or what ever your full domain name is,
so if your domain is called mydomain.co.uk,
the dc command part will be
"dc=mydomain,dc=co,dc=uk" and so on.
You will then be prompted are you sure. Click Yes to continue.
I have just tried this on my test domain and the syntax is correct.
If you get the error can not remove ace because it's not present, then you don't need to run this command.
Remember, you won't break exchange!
Steve
ASKER
It failed:
Remove-ADPermission : User or group "microsoft\exchange servers" was not found.
Please make sure you have typed it correctly.
At line:1 char:20
+ remove-adpermission <<<< "dc=jumar-solutions,dc=com
ge servers" -accessrights writedacl -InheritedObjectType Group
I have three Exchange objects in my AD:
Exchange Domain Servers (security group)
Exchange Enterprise Servers (security group)
ExchangeServer (this is a user)
Do I have to change the microsoft\exchange servers entry ?
Remove-ADPermission : User or group "microsoft\exchange servers" was not found.
Please make sure you have typed it correctly.
At line:1 char:20
+ remove-adpermission <<<< "dc=jumar-solutions,dc=com
ge servers" -accessrights writedacl -InheritedObjectType Group
I have three Exchange objects in my AD:
Exchange Domain Servers (security group)
Exchange Enterprise Servers (security group)
ExchangeServer (this is a user)
Do I have to change the microsoft\exchange servers entry ?
yes it would be your domain name
Yes. change to "jumar\Exchange Servers"
Hello we dont want the "Exchange Server" the user, instead there is a group in Microsoft Exchange Security Group Container in ADUC which is named as "Exchange Servers".
I have three Exchange objects in my AD:
Exchange Domain Servers (security group)
Exchange Enterprise Servers (security group)
ExchangeServer (this is a user)
we dont want the "Exchange Server" the user, instead there is a group in Microsoft Exchange Security Group Container in ADUC which is named as "Exchange Servers".
Exchange Domain Servers (security group)
Exchange Enterprise Servers (security group)
ExchangeServer (this is a user)
we dont want the "Exchange Server" the user, instead there is a group in Microsoft Exchange Security Group Container in ADUC which is named as "Exchange Servers".
The command is correct. Don't worry about the Exchange Server user comment. The comand specifies the group.
ASKER
I ran it, and selected yes:
Remove-ADPermission : Cannot remove ACE on object "DC=my-domain,DC=com" f
or account "domain\Exchange Servers" because it is not present.
At line:1 char:20
+ remove-adpermission <<<< "dc=my.domain,dc=com" -user "domain\exchange s
ervers" -accessrights writedacl -InheritedObjectType Group
If this is not present, then why does the Best Practises Report tell me to remove it Steven?
Remove-ADPermission : Cannot remove ACE on object "DC=my-domain,DC=com" f
or account "domain\Exchange Servers" because it is not present.
At line:1 char:20
+ remove-adpermission <<<< "dc=my.domain,dc=com" -user "domain\exchange s
ervers" -accessrights writedacl -InheritedObjectType Group
If this is not present, then why does the Best Practises Report tell me to remove it Steven?
Hi,
As the best practise analyser says it is the
Exchange Enterprise Servers
group, the comand should be
remove-adpermission "dc=jumar-solutions,dc=com
The microsoft page has some errors.
As the best practise analyser says it is the
Exchange Enterprise Servers
group, the comand should be
remove-adpermission "dc=jumar-solutions,dc=com
The microsoft page has some errors.
actually I would hold off running that command.
To clarify,
I am trying to find examples of the command using "exchange enterprise servers".
The information provided is not clear on which command to use. The tecnet article has been cited as having some errors and I wonder if the best practise tool is not updating.
I am considering posting a question on EE to see if other people can provide information.
I have checked my permissions on my migration and that comment is still there when I run the BPA again and my server has been working for months so it's not critical to operations.
Let me get back to you with concrete answers.
thanks for your patience
Steve
I am trying to find examples of the command using "exchange enterprise servers".
The information provided is not clear on which command to use. The tecnet article has been cited as having some errors and I wonder if the best practise tool is not updating.
I am considering posting a question on EE to see if other people can provide information.
I have checked my permissions on my migration and that comment is still there when I run the BPA again and my server has been working for months so it's not critical to operations.
Let me get back to you with concrete answers.
thanks for your patience
Steve
ASKER
I appreciate your help Steven. One other question, my Exchange Server is a Global Catalogue Server and BPA has said that's not ideal, your thoughts?
Ideally it's not good to run exchange on a domain controller, but it does run ok. It's from more of a security point of view.
It also depends on budget etc. If you only have two servers and one of them is exchange, then it's probably a good idea to run active directory for fail over.
the main reason is security but another could be performance depending on your load and amount of users.
BTW, I haven't had any responses on my question about which command to run. To be honest, I would just leave it as is. As mentioned before I have still that setting on my domain with no affects.
It's up to you. If I get a response back, I will update you.
It also depends on budget etc. If you only have two servers and one of them is exchange, then it's probably a good idea to run active directory for fail over.
the main reason is security but another could be performance depending on your load and amount of users.
BTW, I haven't had any responses on my question about which command to run. To be honest, I would just leave it as is. As mentioned before I have still that setting on my domain with no affects.
It's up to you. If I get a response back, I will update you.
ASKER
The results of my best practise scan don't really concern me too much.
I have the writedacl issue you have been so kindly dealing with.
Exchange resident on a global catalog server
Windows Firewall is enabled
Outlook connection range
Microsoft filter pack not enabled
I am not reall concerened about these, the AD can stay on the Exchange Server as it's taken me weeks to get it working nicely and i don't want to do anything major with it! Mail is sending / recieving nicely so the fireall is not a problem and we all use Outlook 2007. I'm not so sure what the MS Filter pack will do for me though, any thoughts?
I have the writedacl issue you have been so kindly dealing with.
Exchange resident on a global catalog server
Windows Firewall is enabled
Outlook connection range
Microsoft filter pack not enabled
I am not reall concerened about these, the AD can stay on the Exchange Server as it's taken me weeks to get it working nicely and i don't want to do anything major with it! Mail is sending / recieving nicely so the fireall is not a problem and we all use Outlook 2007. I'm not so sure what the MS Filter pack will do for me though, any thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It all seems fine, so I'll leave well alone I think. Many thanks for your help, if you do find an answer to the problem you have been helping me with:
stevanjudd@gmail.com
All the best.
stevanjudd@gmail.com
All the best.
ASKER
It worked!! Cheers for all the time you have put into this Steven, it's appreciated.
Those objects are ok.
Run the command from exchange shell and then re-run bpa.