Active Directory permissions in Multi Child Domain with Exchange 2010 and Exchange 2003``
Posted on 2011-09-07
Hi We are forest with 18 Clhild domain. We prepared the AD for installing exchange 2010 and currenly we have child domains with Exchange 2010 and others with Exchange 2003 and all is working Ok. But we just discovered that the administrator from one child domain was able to change and edit attributes like email, display name, etc for other accounts that below to other Child domain.
Researching I found that the built-in\Adminitrator on each Child domain has assigned the root Enterprise permission with almost full permission and also these Exchange 2010 securoty groups: "Organization Management", :Exchange Server", "Exchange trusted Subsystem" with Read and write Exchange information and checking these group from the root they does not have assigned permission for Child administrator accounts. So I removed the Enterprise Admin from builtin\Administrator on one Child domain just for testing and still the admistrator can modify exchange 2003 &2010 accounts for other Child domain. I do not want to remove the other exchange 2010 security group without make sure that it could affect the exchange deployment or the AD.
. Anybody has similar enviroment and can confirm if their built-in\administrator in the child domain has all these exchang security group permission and can modify account for other child domains?
I will apreciate any information.