?
Solved

Active Directory permissions in Multi Child Domain with Exchange 2010 and Exchange 2003``

Posted on 2011-09-07
6
Medium Priority
?
1,129 Views
Last Modified: 2012-05-12
Hi We are forest with 18 Clhild domain. We prepared the AD for installing exchange 2010 and currenly we have  child domains with Exchange 2010 and others with Exchange 2003 and all is working Ok. But we just discovered that the administrator from one child domain was able to change and edit attributes like  email, display name, etc for other accounts that below to other Child domain.

Researching I found that the built-in\Adminitrator on each Child domain has assigned the root Enterprise permission with almost full permission and also these Exchange 2010 securoty groups: "Organization Management", :Exchange Server", "Exchange trusted Subsystem" with Read and write Exchange information and checking these group from the root they does not have assigned permission for Child administrator accounts. So I removed the Enterprise Admin from builtin\Administrator on one Child domain just for testing and still the admistrator can modify exchange 2003 &2010 accounts for other Child domain. I do not want to remove the other exchange 2010 security group without make sure that it could affect the exchange deployment  or the AD.
. Anybody has similar enviroment and can confirm if their built-in\administrator in the child domain has all these exchang security group permission and can modify account for other child domains?

I will apreciate any information.

Thanks
Liliana
0
Comment
Question by:CGNET-TE
  • 3
  • 3
6 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 1000 total points
ID: 36498912
no by default the administrator of a child domain doesn't have any exchange permission and doesn't need to be in any exchange sercurity group nor in enterprise admins
0
 

Author Comment

by:CGNET-TE
ID: 36498966
Thanks for your reply. I imagine that but it seems that it was inherit after we prepared the forest for exchange 2010 installation :( I tried and removed the EA and force sincronization but after 3 hours I can see that the EA was added again. I can not at the root where it is taking that inherit permissions.

Thk
Libet
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36499049
you mean you have removed the child domain administrator from the enterprise admins and it was re-added after 3hours ?
well this has nothing to do with exchange, exchange doesn't use these groups, you should have some kind of policy readding them
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:CGNET-TE
ID: 36499096
Yes just for testing I removed the EA from Child Domain site because I do not see it at the root level. It also have the other Exchange security groups that I mention initially but just for testing I only removed EA and I was re added :(. We do not have any kind of policy applied to our AD in the forest.

Thanks ,

0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 1000 total points
ID: 36499147
i can assure you that there is nothing in exchange that will change group membership of a user or a group so, if it is not a policy then you will need to find something else
0
 

Author Comment

by:CGNET-TE
ID: 37003607
resolved by myself
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question