sfeder11554
asked on
LDAP Query against local administrators on a computer in a domain
I am trying to use admodify.net to remove the local administrators group on a server (not a DC) called j-f-mmas1 from the access list on another users email account. (There is a deny permission present which is causing grief and by removing that servers administrator group from the mailbox rights list altogether I would remove the deny permission.)
I can get the ldap listing for the computer itself, but admodify does not go further than that. There is an option for a specific ldap query but I am not sure what variables would be used against the local administrators on a server within the domain. Again I am trying to do this against the ADMINSTRATOR GROUP on that server, not the administrator itself.
PS - Since these rights are under the advanced exchange setting of mailbox rights it is not present under the security tab and it can not be reached by adsiedit. These rights are inherited but going up the list in AD or in RUS or ESM has yielded NO parent source.
Thank you.
I can get the ldap listing for the computer itself, but admodify does not go further than that. There is an option for a specific ldap query but I am not sure what variables would be used against the local administrators on a server within the domain. Again I am trying to do this against the ADMINSTRATOR GROUP on that server, not the administrator itself.
PS - Since these rights are under the advanced exchange setting of mailbox rights it is not present under the security tab and it can not be reached by adsiedit. These rights are inherited but going up the list in AD or in RUS or ESM has yielded NO parent source.
Thank you.
You might find what you're looking for in AD Users and Computers. Right click on Microsoft Exchange Security Groups (or Microsoft Exchange System Objects) in the tree and get properties and look at the security tab. If you see the group you're looking for in there (and it may be a domain local group, but it wouldn't be a machine local group) you can either change the permissions there or, if you click on the advanced button, see where it's inherited from.
You may need to go all the way up to the root of the domain and get security properties there. Make sure you document any changes you make in case you need to reverse them.
You may need to go all the way up to the root of the domain and get security properties there. Make sure you document any changes you make in case you need to reverse them.
ASKER
Good Idea - Picture is worth a thousand words - fourth item down.
j-f-mmas-deny.pdf
j-f-mmas-deny.pdf
What object are these the security permissions for?
You see it's inherited from the parent item. You have to keep going up the tree to see where it actually gets that permission from.
You see it's inherited from the parent item. You have to keep going up the tree to see where it actually gets that permission from.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you give us a screen print of where you're seeing these permissions?