Solved

Active Directory permissions in Multi Child Domain with Exchange 2010 and Exchange 2003``

Posted on 2011-09-07
6
1,071 Views
Last Modified: 2012-05-12
Hi We are forest with 18 Clhild domain. We prepared the AD for installing exchange 2010 and currenly we have  child domains with Exchange 2010 and others with Exchange 2003 and all is working Ok. But we just discovered that the administrator from one child domain was able to change and edit attributes like  email, display name, etc for other accounts that below to other Child domain.

Researching I found that the built-in\Adminitrator on each Child domain has assigned the root Enterprise permission with almost full permission and also these Exchange 2010 securoty groups: "Organization Management", :Exchange Server", "Exchange trusted Subsystem" with Read and write Exchange information and checking these group from the root they does not have assigned permission for Child administrator accounts. So I removed the Enterprise Admin from builtin\Administrator on one Child domain just for testing and still the admistrator can modify exchange 2003 &2010 accounts for other Child domain. I do not want to remove the other exchange 2010 security group without make sure that it could affect the exchange deployment  or the AD.
. Anybody has similar enviroment and can confirm if their built-in\administrator in the child domain has all these exchang security group permission and can modify account for other child domains?

I will apreciate any information.

Thanks
Liliana
0
Comment
Question by:CGNET-TE
  • 3
  • 3
6 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 36498912
no by default the administrator of a child domain doesn't have any exchange permission and doesn't need to be in any exchange sercurity group nor in enterprise admins
0
 

Author Comment

by:CGNET-TE
ID: 36498966
Thanks for your reply. I imagine that but it seems that it was inherit after we prepared the forest for exchange 2010 installation :( I tried and removed the EA and force sincronization but after 3 hours I can see that the EA was added again. I can not at the root where it is taking that inherit permissions.

Thk
Libet
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36499049
you mean you have removed the child domain administrator from the enterprise admins and it was re-added after 3hours ?
well this has nothing to do with exchange, exchange doesn't use these groups, you should have some kind of policy readding them
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:CGNET-TE
ID: 36499096
Yes just for testing I removed the EA from Child Domain site because I do not see it at the root level. It also have the other Exchange security groups that I mention initially but just for testing I only removed EA and I was re added :(. We do not have any kind of policy applied to our AD in the forest.

Thanks ,

0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 500 total points
ID: 36499147
i can assure you that there is nothing in exchange that will change group membership of a user or a group so, if it is not a policy then you will need to find something else
0
 

Author Comment

by:CGNET-TE
ID: 37003607
resolved by myself
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now