• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 397
  • Last Modified:

Certian security operations fail in exchange 2010 if the user account is an adminstrator

Certian security operations fail in exchange 2010 if the user account is an adminstrator.
For example the user will not be able to view a shared calendar or a shared mailbox even when the permission are correct.  Yet a regular user with the same permissions the these items can view them fine.
Is there a way arround this?
  • 7
  • 4
1 Solution
mattolanAuthor Commented:
this would be in line with what I found, I'm not sure what to do about it other than force our administrators, (myself included) to use a non admin level account for email and thier local computer work
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

You can disable it also.
mattolanAuthor Commented:
how do I do that?
Method 2: Enable inheritance on the adminSDHolder container
If you enable inheritance on the adminSDHolder container, all members of the protected groups have inherited permissions enabled. In terms of security functionality, this method reverts the behavior of the adminSDHolder container back to the pre-Service Pack 4 functionality.
Enabling inheritance on the adminSDHolder container
If you enable inheritance on the adminSDHolder container, one of the two protective access control list (ACL) mechanisms is disabled. The default permissions are applied. However, all members of protected groups inherit permissions from the organizational unit and any parent organizational units if inheritance is enabled at the organizational unit level.

To provide inheritance protection for administrative users, move all administrative users (and other users who require inheritance protection) to their own organizational unit. At the organizational unit level, remove inheritance and then set the permissions to match the current ACLs on the adminSDHolder container. Because the permissions on the adminSDHolder container may vary (for example, Microsoft Exchange Server adds some permissions or the permissions may have been modified), review a member of a protected group for the current permissions on the adminSDHolder container. Be aware that the user interface (UI) does not display all permissions on the adminSDHolder container. Use DSacls to view all permissions on the adminSDHolder container.

You can enable inheritance on the adminSDHolder container by using ADSI Edit or Active Directory Users and Computers. The path of the adminSDHolder container is CN=adminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>

Note If you use Active Directory Users and Computers, make sure that Advanced Features is selected on the View menu.

To enable inheritance on the adminSDHolder container:
Right-click the container, and then click Properties.
Click the Security tab.
Click Advanced.
Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
Click OK, and then click Close.
The next time that the SDProp thread runs, the inheritance flag is set on all members of protected groups. This procedure may take up to 60 minutes. Allow sufficient time for this change to replicate from the primary domain controller (PDC).
Back to the top
Method 3: Avoid inheritance and only change ACLs
If you do not want users who are members of Protected Groups to inherit permissions from the container that the users reside in, and you only want to change the security on the user objects, you can edit the security on the adminSDHolder container directory. In this scenario, you do not have to enable Inheritance on the adminSDHolder container. You only have to add that group or edit the security of the security groups that are already defined on the adminSDHolder container. After one hour, the SDProp thread will apply the change made to the ACLs of the adminSDHolder container to all the members of protected groups. The members will not inherit the security of the container they reside in.

For example, the Self account requires the Allow to Read All Properties right. Edit the adminSDHolder container security settings to allow this right on the Self account. After one hour, this right will be allowed to the Self account for all users who are members of protected groups. The Inheritance flag is not changed.

The following example demonstrates how to apply changes onto the adminSDHolder object only. This example grants the following permissions on the adminSDHolder object:
List Contents
Read All Properties
Write All Properties
To grant these permissions on the adminSDHolder object, follow these steps:
In Active Directory Users and Computers, click Advanced Features on the View menu.
Locate the adminSDHolder object. The object is in the following location for each domain in the Active Directory forest: CN=adminSDHolder,CN=System,DC=domain,DC=com Here, DC=domain,DC=com is the distinguished name of the domain.
Right-click adminSDHolder, and then click Properties.
In the Properties dialog box, click the Security tab and then click Advanced.
In the Access Control Settings for adminSDHolder dialog box, click Add on the Permissions tab.
In the Select User, Computer, or Group dialog box, click the account to which you want to grant related permissions, and then click OK.
In the Permissions Entry for adminSDHolder dialog box, click This object only in the Apply onto box, and then click List Contents, Read All Properties, and Write All Properties rights.
Click OK to close the Permissions Entry for adminSDHolder dialog box, the Access Control Settings for adminSDHolder dialog box, and the adminSDHolder Properties dialog box.
Within one hour, the ACL will be updated on the user objects associated with the protected groups to reflect the changes. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
232199  (http://support.microsoft.com/kb/232199/ ) Description and update of the Active Directory adminSDHolder object
318180  (http://support.microsoft.com/kb/318180/ ) AdminSDHolder thread affects transitive members of distribution groups
Depending on what you want to do you can pick Method 2 or 3
mattolanAuthor Commented:
will that fix the security issues in exchange?
I think so I have had to do it to allow administrators to use Blackberrys/Active Sync and so on.  The other options is to create accounts for their day to day use and not use accounts that are in proected groups for day to use.
mattolanAuthor Commented:
I think I am going to go with the 2 account approach. this is better for security over the long haul anyway

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now