Restricting domain admins group from having full mailbox permissions

Hi all,

I have been tasked to restrict the domain admins group from having full mailbox permissions on all the mailboxes.  We do not have different accounts for domain admins.  My concern is if I restrict them from having full mailbox permissions it will also restrict them from their mailbox and it will break their outlook, bb, iphone, ipad, etc.

Does anyone have any suggestions on how to get this done without breaking anything.  We have Exchange 2007 sp3, Active Direcotry 2003.

Thanks
LVL 1
annayegAsked:
Who is Participating?
 
Mike ThomasConnect With a Mentor ConsultantCommented:
Regular user accounts should not be domain admins, admin accounts should be completely separate from the IT Staffs "regular account" email etc, if this was being done you would not have this issue.

Exchange since I think 2003 SP2 removed the rights over mailboxes for members of the Domain Admins group, and if it is working it is because someone made changes to defaults to make it work.

I would be inclined to make everyone and new admin account and remove their current accounts from the domain admins group, this is good/common practice and will get you through external audits etc...and get this working for you while remaining compliant.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
You can't actually restricted admins from anything. You would be best to demote their permissions.
0
 
pwindellConnect With a Mentor Commented:
You can't actually restricted admins from anything. You would be best to demote their permissions.

The default with Exchange2003 is that the Admins don't have access to the Mailboxes.  The reason they do now is because someone went out of their way to give them access. So the solution is to put it back the way that it was.

Yes, it is true that Admins can go back and give themselves permission,...but they have to go out of their way to do that.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
annayegAuthor Commented:
How do I find out how the permissions were given?  Is there any powershell commands I can run?
0
 
pwindellCommented:
Powershell??   Ya' know,...there was life before Powershell?,...there was even life before Netsh.

The permissions were set right in the Exchange MMC,...at least it was in Exchange2003
0
 
annayegAuthor Commented:
So, is there a way for me to find out how these permissions were set?
0
 
pwindellConnect With a Mentor Commented:
Go look at them.  In the MMC.

They can be set directly on the mailbox or on one of the nodes just above them and let it inherit down.

Be careful what you change,...you can trash the whole thing in a heartbeat by doing the wrong thing.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.