We help IT Professionals succeed at work.

Exchange Permissions Inherrited to First Organizaion?

whoam asked
I went to take an admin out of the change Organization in the EMC.  Says her permissions are inherited from parent object.  Where is the parent to the organization, or more specifically how do I do this?  I tried using the Administration Delegation Wizard for exchange, but selecting her, then choosing REMOVE or EDIT gets me "Failed to remove permission from domain\user on this object:" and "The delegation wizard could not grant/change permissions for: Domain/user."
Watch Question

Top Expert 2010

On Exchange Management Shell execute this cmdlet
Remove-ExchangeAdministrator –Identity User1 –Role ViewOnlyAdmin

More details here

Go to Active Directory Users & Computers. Check for the Microsoft Exchange Security Group.
Inside that group you will find the following Security Groups.
Exchange Organization Administrators
Exchange Recipient Administrators
Exchange View-Only Administrators
Exchange Servers

Click on each group -> properties -> Members.
Remove the account that you do not want to have permissions on the Exchange Server.
This should work for you.


Sunnyc7, this is exchange 2003, didn't see how i could follow your guidance here.

AshwinRaj111, in ADUC I don't see the mentioned security groups, don't know if you're also thinking Exch 2007.

Another note, this is a 2003 domain.
SInce you have mentioned it as EMC (Exchange Management Console) we thought it would be Exchange 2007.
Since it is Exchange 2003, from ADUC -> Users Container -> Exchange Domain Servers -> Check for this user is a member of that Secuirty Group. Remove it.


No, she's not there.  She's not an Exchange Admins member either (in ADUC).  
OK in this case check from where this person has the Permission Inherited from.

Open the ADSIEDIT.

In the Configuration Partition -> Navigate to the Exchange 2003 Server Object.

Right Click on the Server Object -> Properties -> Security Tab -> Advanced Tab -> Check the User Name is the List -> Next to the User Name there would be another Field Called Inherited From.
Check for where this user has his permission Inherited From.
You will have to go the that container and then remove the user from the Security Tab.

Most of the time this user would be given the permission on the Exchange Server Organization Level.
Top Expert 2010
Check this. this might solve your problem.

Give yourself rights in ADSIEdit to run the tool and then run Administration Delegation Wizard again.

Open ADSIEdit.
Expand CN=Configuration-CN=Services, right-click CN=Microsoft Exchange, and then click Properties.

Click the Security tab, and then click Add.
In the Select Users window, select the SYSTEM account, click Add, and then click OK.
Assign System Full Control access, and then click OK to close this window.

In ADSIEdit,
CN=Domain expand CN=Microsoft Exchange, right-click the Organization Name, and then click Properties.
Assign System Full Control at this level also, and then quit ADSIEdit.


AshwinRaj111- Inherited from -> CN=MICROSOFT EXCHANGE,CN=SERVICES,CN=CONFIGURATION,DC=DOMAIN,DC-COM.  Went there, went into advance security, removed her.  Went back to Exchange System Mgr. and Exchange Administration Delegation Wizard.  Chose to remove her.  First message -> THE USER OR GROUP YOU HAVE SELECTED HAS BEEN GRANTED OR DENIED OTHER RIGHTS.  DO YOU WISH TO CONTINUE TO REMOVE ALL RIGHTS ASSOCIATED WITH THIS USER OR GROUP?  Chose yes.  When wizard completes -> FAILED TO REMOVE PERMISSIONS FORM DOMAIN\USER ON THIS OBJECT: /DC=COM/DC=DOMAIN/CN=CONFIGURATION.  Clicked OK.  Message popped up -> THE DELEGATION WIZARD COULD NOT GRANT/CHANGE PERMISSIONS FOR: DOMAIN\USER.  Back to ADSI edit, user has reappeared.  Still says Inherited From is <not inherited>.  Looked at owner of object, was SID, replaced it with administrators group.  Used replmon to push out change.  Checked ADSI edit perms, she was still gone.  Went back to System Manager, she was there in First Org permissions, but only special permissions.  Checked advanced perms, she had receive as and send as perms.  I removed those entries.  Went back to Exchange Admin Delegation Wizard, she is still there listed as Exchange Full Administrator (customized).  Attempted to remove her.  Got the same error, starting with FAILED  TO REMOVE PERMISSION FROM DOMAIN\USER ON THIS OBJECT: /DC=COM/DC=DOMAIN/CN=CONFIGURATION.  Then she was back in all security permission entries.  So, I’m back to ADSIedit, remove her, then let it sit, hoping that she will disappear as propagation happens.


sunnyc7 - your suggestion made me look at my own perms more closely.  Duh, I didn't have full Exchange Admin rights.  I granted myself these then all was well.  Makes me wonder if it all wouldn't have worked if this had been done to begin with.  Thanks all!
Top Expert 2010

You're welcome. :-)