• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 772
  • Last Modified:

Restricting domain admins group from having full mailbox permissions

Hi all,

I have been tasked to restrict the domain admins group from having full mailbox permissions on all the mailboxes.  We do not have different accounts for domain admins.  My concern is if I restrict them from having full mailbox permissions it will also restrict them from their mailbox and it will break their outlook, bb, iphone, ipad, etc.

Does anyone have any suggestions on how to get this done without breaking anything.  We have Exchange 2007 sp3, Active Direcotry 2003.

Thanks
0
annayeg
Asked:
annayeg
3 Solutions
 
Mike ThomasConsultantCommented:
Regular user accounts should not be domain admins, admin accounts should be completely separate from the IT Staffs "regular account" email etc, if this was being done you would not have this issue.

Exchange since I think 2003 SP2 removed the rights over mailboxes for members of the Domain Admins group, and if it is working it is because someone made changes to defaults to make it work.

I would be inclined to make everyone and new admin account and remove their current accounts from the domain admins group, this is good/common practice and will get you through external audits etc...and get this working for you while remaining compliant.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
You can't actually restricted admins from anything. You would be best to demote their permissions.
0
 
pwindellCommented:
You can't actually restricted admins from anything. You would be best to demote their permissions.

The default with Exchange2003 is that the Admins don't have access to the Mailboxes.  The reason they do now is because someone went out of their way to give them access. So the solution is to put it back the way that it was.

Yes, it is true that Admins can go back and give themselves permission,...but they have to go out of their way to do that.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
annayegAuthor Commented:
How do I find out how the permissions were given?  Is there any powershell commands I can run?
0
 
pwindellCommented:
Powershell??   Ya' know,...there was life before Powershell?,...there was even life before Netsh.

The permissions were set right in the Exchange MMC,...at least it was in Exchange2003
0
 
annayegAuthor Commented:
So, is there a way for me to find out how these permissions were set?
0
 
pwindellCommented:
Go look at them.  In the MMC.

They can be set directly on the mailbox or on one of the nodes just above them and let it inherit down.

Be careful what you change,...you can trash the whole thing in a heartbeat by doing the wrong thing.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now