Solved

Default permissions in Exchange 2010 Database

Posted on 2014-03-25
2
241 Views
Last Modified: 2014-04-01
I am fairly new to Exchange 2010 administration and have inherited a system that was set up by previous administrators that are no longer with the company.

I need to remove any non-default permissions granted by the previous administrators.  One of the permissions set at the organization level is for "NT Authority\System".  I checked with another Exchange Admin and he does not have this permission set on his system.

Here are the permissions at the organization level:

Get-OrganizationConfig|get-adpermission -user "nt authority\system"|fl *


PSComputerName      : server.domain.dom
RunspaceId          : 46053498-3d13-4b48-a7af-b0fef6d1048f
AccessRights        : {ExtendedRight}
ExtendedRights      :
ChildObjectTypes    :
InheritedObjectType :
Properties          :
Deny                : False
InheritanceType     : All
User                : NT AUTHORITY\SYSTEM
Identity            : XXXXXXXXXXXXX
IsInherited         : False
IsValid             : True

Does the SYSTEM account have these permissions by default or was this added later?
0
Comment
Question by:Eddie2010
2 Comments
 
LVL 35

Accepted Solution

by:
Bembi earned 500 total points
ID: 39954447
The question is now, what the GUID represents, at least I can say, I have system permissions as well.

Be carefully with removing permissions, nevertheless Exchange handles most of the permissions by its own groups. There is a huge amount of permissions in AD and deleteing the wrong ones can start a big mess.

Check who is member of the default Exchange groups and take care of user accounts, which are in there. Check the permissions on the mailboxes (full, send as) id there are unusual permissions.

System accounts can even be connected to services, whch interacts with exchange, i.e backup software or Blackberry etc. So before deleting any permissions, make sure no service is needing them.

The most common permission problem is mostly, that users or user groups have permissions an mailboxes to get access to them. But even this can have a reason, i.e. or systemic mailboxes used by some services.
0
 

Author Comment

by:Eddie2010
ID: 39969743
This isn't really a direct answer to the question I asked and you included a lot of superfluous information, but no one else has responded so I guess you get credit.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Today companies are subjected to more-and-more data, and it won't stop any time soon.  But there are obvious opportunities for reducing data, particularly data duplicated among companies.
Being able to change email signatures is made really simple with email signature software and services.
This video walks the viewer through the process of creating Hyperlinks for the web and other documents. Select the "Insert" tab: Click "Hyperlink":  Type "http://" followed by a web address to reference a website or navigate to a document to ref…
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now