Active Directory permissions in Multi Child Domain with Exchange 2010 and Exchange 2003``

Posted on 2011-09-07
Last Modified: 2012-05-12
Hi We are forest with 18 Clhild domain. We prepared the AD for installing exchange 2010 and currenly we have  child domains with Exchange 2010 and others with Exchange 2003 and all is working Ok. But we just discovered that the administrator from one child domain was able to change and edit attributes like  email, display name, etc for other accounts that below to other Child domain.

Researching I found that the built-in\Adminitrator on each Child domain has assigned the root Enterprise permission with almost full permission and also these Exchange 2010 securoty groups: "Organization Management", :Exchange Server", "Exchange trusted Subsystem" with Read and write Exchange information and checking these group from the root they does not have assigned permission for Child administrator accounts. So I removed the Enterprise Admin from builtin\Administrator on one Child domain just for testing and still the admistrator can modify exchange 2003 &2010 accounts for other Child domain. I do not want to remove the other exchange 2010 security group without make sure that it could affect the exchange deployment  or the AD.
. Anybody has similar enviroment and can confirm if their built-in\administrator in the child domain has all these exchang security group permission and can modify account for other child domains?

I will apreciate any information.

Question by:CGNET-TE
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 49

Accepted Solution

Akhater earned 500 total points
ID: 36498912
no by default the administrator of a child domain doesn't have any exchange permission and doesn't need to be in any exchange sercurity group nor in enterprise admins

Author Comment

ID: 36498966
Thanks for your reply. I imagine that but it seems that it was inherit after we prepared the forest for exchange 2010 installation :( I tried and removed the EA and force sincronization but after 3 hours I can see that the EA was added again. I can not at the root where it is taking that inherit permissions.

LVL 49

Expert Comment

ID: 36499049
you mean you have removed the child domain administrator from the enterprise admins and it was re-added after 3hours ?
well this has nothing to do with exchange, exchange doesn't use these groups, you should have some kind of policy readding them
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Author Comment

ID: 36499096
Yes just for testing I removed the EA from Child Domain site because I do not see it at the root level. It also have the other Exchange security groups that I mention initially but just for testing I only removed EA and I was re added :(. We do not have any kind of policy applied to our AD in the forest.

Thanks ,

LVL 49

Assisted Solution

Akhater earned 500 total points
ID: 36499147
i can assure you that there is nothing in exchange that will change group membership of a user or a group so, if it is not a policy then you will need to find something else

Author Comment

ID: 37003607
resolved by myself

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question