Solved

Restricting domain admins group from having full mailbox permissions

Posted on 2012-03-21
7
739 Views
Last Modified: 2012-04-02
Hi all,

I have been tasked to restrict the domain admins group from having full mailbox permissions on all the mailboxes.  We do not have different accounts for domain admins.  My concern is if I restrict them from having full mailbox permissions it will also restrict them from their mailbox and it will break their outlook, bb, iphone, ipad, etc.

Does anyone have any suggestions on how to get this done without breaking anything.  We have Exchange 2007 sp3, Active Direcotry 2003.

Thanks
0
Comment
Question by:annayeg
7 Comments
 
LVL 24

Accepted Solution

by:
Mike Thomas earned 167 total points
ID: 37751889
Regular user accounts should not be domain admins, admin accounts should be completely separate from the IT Staffs "regular account" email etc, if this was being done you would not have this issue.

Exchange since I think 2003 SP2 removed the rights over mailboxes for members of the Domain Admins group, and if it is working it is because someone made changes to defaults to make it work.

I would be inclined to make everyone and new admin account and remove their current accounts from the domain admins group, this is good/common practice and will get you through external audits etc...and get this working for you while remaining compliant.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37751987
You can't actually restricted admins from anything. You would be best to demote their permissions.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 333 total points
ID: 37752457
You can't actually restricted admins from anything. You would be best to demote their permissions.

The default with Exchange2003 is that the Admins don't have access to the Mailboxes.  The reason they do now is because someone went out of their way to give them access. So the solution is to put it back the way that it was.

Yes, it is true that Admins can go back and give themselves permission,...but they have to go out of their way to do that.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 1

Author Comment

by:annayeg
ID: 37753151
How do I find out how the permissions were given?  Is there any powershell commands I can run?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37753208
Powershell??   Ya' know,...there was life before Powershell?,...there was even life before Netsh.

The permissions were set right in the Exchange MMC,...at least it was in Exchange2003
0
 
LVL 1

Author Comment

by:annayeg
ID: 37759655
So, is there a way for me to find out how these permissions were set?
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 333 total points
ID: 37765973
Go look at them.  In the MMC.

They can be set directly on the mailbox or on one of the nodes just above them and let it inherit down.

Be careful what you change,...you can trash the whole thing in a heartbeat by doing the wrong thing.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Read this checklist to learn more about the 15 things you should never include in an email signature.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question