?
Solved

Restricting domain admins group from having full mailbox permissions

Posted on 2012-03-21
7
Medium Priority
?
765 Views
Last Modified: 2012-04-02
Hi all,

I have been tasked to restrict the domain admins group from having full mailbox permissions on all the mailboxes.  We do not have different accounts for domain admins.  My concern is if I restrict them from having full mailbox permissions it will also restrict them from their mailbox and it will break their outlook, bb, iphone, ipad, etc.

Does anyone have any suggestions on how to get this done without breaking anything.  We have Exchange 2007 sp3, Active Direcotry 2003.

Thanks
0
Comment
Question by:annayeg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 24

Accepted Solution

by:
Mike Thomas earned 668 total points
ID: 37751889
Regular user accounts should not be domain admins, admin accounts should be completely separate from the IT Staffs "regular account" email etc, if this was being done you would not have this issue.

Exchange since I think 2003 SP2 removed the rights over mailboxes for members of the Domain Admins group, and if it is working it is because someone made changes to defaults to make it work.

I would be inclined to make everyone and new admin account and remove their current accounts from the domain admins group, this is good/common practice and will get you through external audits etc...and get this working for you while remaining compliant.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37751987
You can't actually restricted admins from anything. You would be best to demote their permissions.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1332 total points
ID: 37752457
You can't actually restricted admins from anything. You would be best to demote their permissions.

The default with Exchange2003 is that the Admins don't have access to the Mailboxes.  The reason they do now is because someone went out of their way to give them access. So the solution is to put it back the way that it was.

Yes, it is true that Admins can go back and give themselves permission,...but they have to go out of their way to do that.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:annayeg
ID: 37753151
How do I find out how the permissions were given?  Is there any powershell commands I can run?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37753208
Powershell??   Ya' know,...there was life before Powershell?,...there was even life before Netsh.

The permissions were set right in the Exchange MMC,...at least it was in Exchange2003
0
 
LVL 1

Author Comment

by:annayeg
ID: 37759655
So, is there a way for me to find out how these permissions were set?
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1332 total points
ID: 37765973
Go look at them.  In the MMC.

They can be set directly on the mailbox or on one of the nodes just above them and let it inherit down.

Be careful what you change,...you can trash the whole thing in a heartbeat by doing the wrong thing.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question