Solved

Exchange 2003 security permissions change

Posted on 2012-04-13
4
315 Views
Last Modified: 2012-04-17
I'm attempting to retire an older domain admin account.  While checking the exchange 2003 server I'm finding this account has permissions on objects like the address books and the message queues.  On the security tab when I highlight the account and click remove I get the following error:

"You cannot remove "Account name" because this object is inheriting permissions from its parent"

I understand the message and why I'm getting it but I don't know where the "parent" is where the inheritence is coming from.  I've checked all the higher level folders in the system manager but I don't see it.  Can someone point me in the right direction?
0
Comment
Question by:First Last
  • 2
  • 2
4 Comments
 
LVL 15

Expert Comment

by:Rajkumar-MCITP
ID: 37844628
You can check the following

Make sure he is not an exchange server organization administrator ( check the org admin group members)

Any service running on this account

If that is the default administrator account kindly have a look on this - http://www.windowsecurity.com/articles/protecting-administrator-account.html

Is that account used to install exchange server?
0
 
LVL 1

Author Comment

by:First Last
ID: 37845017
I checked all the exchange services which are set to use the local system account.  It is a member of the Exchange Services group (as well as a domain admin).  I don't see a group called exchange server organization admin, the services group was the closest I could see.

Exchange was probably installed using that account several years ago.  The default admin account was renamed and disabled a while back but prior staff had gotten in the habit of using another domain level service account for just about everything which I now get to clean up.  :)

Thanks for your help!
0
 
LVL 15

Accepted Solution

by:
Rajkumar-MCITP earned 500 total points
ID: 37845669
Sorry, I meant the exchange full administrator group as organization Administrator

right click on the Organization Name or Administrative group and click on delegate control. click on the old admin account and remove it.
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 37855845
That did the trick, once I removed the account as an exchange admin all the permissions went with it.  Thanks!
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video discusses moving either the default database or any database to a new volume.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now