Solved

Restricting domain admins group from having full mailbox permissions

Posted on 2012-03-21
7
759 Views
Last Modified: 2012-04-02
Hi all,

I have been tasked to restrict the domain admins group from having full mailbox permissions on all the mailboxes.  We do not have different accounts for domain admins.  My concern is if I restrict them from having full mailbox permissions it will also restrict them from their mailbox and it will break their outlook, bb, iphone, ipad, etc.

Does anyone have any suggestions on how to get this done without breaking anything.  We have Exchange 2007 sp3, Active Direcotry 2003.

Thanks
0
Comment
Question by:annayeg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 24

Accepted Solution

by:
Mike Thomas earned 167 total points
ID: 37751889
Regular user accounts should not be domain admins, admin accounts should be completely separate from the IT Staffs "regular account" email etc, if this was being done you would not have this issue.

Exchange since I think 2003 SP2 removed the rights over mailboxes for members of the Domain Admins group, and if it is working it is because someone made changes to defaults to make it work.

I would be inclined to make everyone and new admin account and remove their current accounts from the domain admins group, this is good/common practice and will get you through external audits etc...and get this working for you while remaining compliant.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37751987
You can't actually restricted admins from anything. You would be best to demote their permissions.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 333 total points
ID: 37752457
You can't actually restricted admins from anything. You would be best to demote their permissions.

The default with Exchange2003 is that the Admins don't have access to the Mailboxes.  The reason they do now is because someone went out of their way to give them access. So the solution is to put it back the way that it was.

Yes, it is true that Admins can go back and give themselves permission,...but they have to go out of their way to do that.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 1

Author Comment

by:annayeg
ID: 37753151
How do I find out how the permissions were given?  Is there any powershell commands I can run?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37753208
Powershell??   Ya' know,...there was life before Powershell?,...there was even life before Netsh.

The permissions were set right in the Exchange MMC,...at least it was in Exchange2003
0
 
LVL 1

Author Comment

by:annayeg
ID: 37759655
So, is there a way for me to find out how these permissions were set?
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 333 total points
ID: 37765973
Go look at them.  In the MMC.

They can be set directly on the mailbox or on one of the nodes just above them and let it inherit down.

Be careful what you change,...you can trash the whole thing in a heartbeat by doing the wrong thing.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question