[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Active Directory permissions in Multi Child Domain with Exchange 2010 and Exchange 2003``

Posted on 2011-09-07
Medium Priority
Last Modified: 2012-05-12
Hi We are forest with 18 Clhild domain. We prepared the AD for installing exchange 2010 and currenly we have  child domains with Exchange 2010 and others with Exchange 2003 and all is working Ok. But we just discovered that the administrator from one child domain was able to change and edit attributes like  email, display name, etc for other accounts that below to other Child domain.

Researching I found that the built-in\Adminitrator on each Child domain has assigned the root Enterprise permission with almost full permission and also these Exchange 2010 securoty groups: "Organization Management", :Exchange Server", "Exchange trusted Subsystem" with Read and write Exchange information and checking these group from the root they does not have assigned permission for Child administrator accounts. So I removed the Enterprise Admin from builtin\Administrator on one Child domain just for testing and still the admistrator can modify exchange 2003 &2010 accounts for other Child domain. I do not want to remove the other exchange 2010 security group without make sure that it could affect the exchange deployment  or the AD.
. Anybody has similar enviroment and can confirm if their built-in\administrator in the child domain has all these exchang security group permission and can modify account for other child domains?

I will apreciate any information.

Question by:CGNET-TE
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 49

Accepted Solution

Akhater earned 1000 total points
ID: 36498912
no by default the administrator of a child domain doesn't have any exchange permission and doesn't need to be in any exchange sercurity group nor in enterprise admins

Author Comment

ID: 36498966
Thanks for your reply. I imagine that but it seems that it was inherit after we prepared the forest for exchange 2010 installation :( I tried and removed the EA and force sincronization but after 3 hours I can see that the EA was added again. I can not at the root where it is taking that inherit permissions.

LVL 49

Expert Comment

ID: 36499049
you mean you have removed the child domain administrator from the enterprise admins and it was re-added after 3hours ?
well this has nothing to do with exchange, exchange doesn't use these groups, you should have some kind of policy readding them
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 36499096
Yes just for testing I removed the EA from Child Domain site because I do not see it at the root level. It also have the other Exchange security groups that I mention initially but just for testing I only removed EA and I was re added :(. We do not have any kind of policy applied to our AD in the forest.

Thanks ,

LVL 49

Assisted Solution

Akhater earned 1000 total points
ID: 36499147
i can assure you that there is nothing in exchange that will change group membership of a user or a group so, if it is not a policy then you will need to find something else

Author Comment

ID: 37003607
resolved by myself

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question