Solved

Active Directory permissions in Multi Child Domain with Exchange 2010 and Exchange 2003``

Posted on 2011-09-07
6
1,082 Views
Last Modified: 2012-05-12
Hi We are forest with 18 Clhild domain. We prepared the AD for installing exchange 2010 and currenly we have  child domains with Exchange 2010 and others with Exchange 2003 and all is working Ok. But we just discovered that the administrator from one child domain was able to change and edit attributes like  email, display name, etc for other accounts that below to other Child domain.

Researching I found that the built-in\Adminitrator on each Child domain has assigned the root Enterprise permission with almost full permission and also these Exchange 2010 securoty groups: "Organization Management", :Exchange Server", "Exchange trusted Subsystem" with Read and write Exchange information and checking these group from the root they does not have assigned permission for Child administrator accounts. So I removed the Enterprise Admin from builtin\Administrator on one Child domain just for testing and still the admistrator can modify exchange 2003 &2010 accounts for other Child domain. I do not want to remove the other exchange 2010 security group without make sure that it could affect the exchange deployment  or the AD.
. Anybody has similar enviroment and can confirm if their built-in\administrator in the child domain has all these exchang security group permission and can modify account for other child domains?

I will apreciate any information.

Thanks
Liliana
0
Comment
Question by:CGNET-TE
  • 3
  • 3
6 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 36498912
no by default the administrator of a child domain doesn't have any exchange permission and doesn't need to be in any exchange sercurity group nor in enterprise admins
0
 

Author Comment

by:CGNET-TE
ID: 36498966
Thanks for your reply. I imagine that but it seems that it was inherit after we prepared the forest for exchange 2010 installation :( I tried and removed the EA and force sincronization but after 3 hours I can see that the EA was added again. I can not at the root where it is taking that inherit permissions.

Thk
Libet
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36499049
you mean you have removed the child domain administrator from the enterprise admins and it was re-added after 3hours ?
well this has nothing to do with exchange, exchange doesn't use these groups, you should have some kind of policy readding them
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:CGNET-TE
ID: 36499096
Yes just for testing I removed the EA from Child Domain site because I do not see it at the root level. It also have the other Exchange security groups that I mention initially but just for testing I only removed EA and I was re added :(. We do not have any kind of policy applied to our AD in the forest.

Thanks ,

0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 500 total points
ID: 36499147
i can assure you that there is nothing in exchange that will change group membership of a user or a group so, if it is not a policy then you will need to find something else
0
 

Author Comment

by:CGNET-TE
ID: 37003607
resolved by myself
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question