Solved

How can we configure a domain admin user without having Exchange admin rights?

Posted on 2014-11-18
16
87 Views
Last Modified: 2015-10-15
We have a Small Business Server 2011, patched to the latest service packs and updates including those for Exchange 2010.

We have a requirement to set up a user (or group of users) that are able to perform administrative tasks on the server (add/remove users, reset passwords, set file/share permissions, check and configure backups, etc.) but without having Exchange admin rights (basically, so they are unable to grant themselves or others access to mailboxes).

Is this possible on SBS2011?  If so, how do we go about configuring it?

Thanks in advance as always.
0
Comment
Question by:David Haycox
  • 6
  • 4
  • 3
  • +2
16 Comments
 
LVL 54

Accepted Solution

by:
McKnife earned 200 total points
ID: 40449440
Hi.

You can do it, but you would not make him domain admin but use the delegation of control wizard to delegate AD permissions ->add/remove users, reset passwords can be delegated. To let him set file share permissions, he will need an ACL-entry with full access for himself, that's all - he does not need to be domain admin.

To check backups, he does not need to be domain admin either, but the requirements here are not clear since we don't know your backup solution.
0
 
LVL 1

Author Comment

by:David Haycox
ID: 40449459
Thanks for that.  We're using the built-in Windows Server / SBS Backup to rotated USB drives.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40449463
And checking backups means he would need to look at the logs simply? Then he needs read access to the logfile, that's all.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 40449646
Have not checked this myself because it has never been an issue.... but wondering if the Console Add User Wizard will work if the user has no Exchange rights..... since the Add User Wizard does create the users mailbox.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40449663
Larry, you could be right - I never used an SBS apart from initial testing many years ago. So if that wizard is the only way and if it automatically tries to create an account, of course that would fail. But inside the exchange part we might be delegations, too, don't we? Sorry, I won't be able to test.
0
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 40449687
Apart from the Wizard, which is the best way to manage an SBS, why would you want to create a new user with no mailbox?  The original question had to do with that.  I guess that as long as the activities of this "super user" did not include any exchange functions (changing a name as another example), one might be able to do what is described..... as long as you can figure out a way to enable this person to logon to the server in the first place.
0
 
LVL 1

Author Comment

by:David Haycox
ID: 40449953
Interesting comments!  I would suspect the SBS wizards would break if the user is not a domain / Exchange admin, so for ease I'll remove the requirement to add new users (and anything else that involves Exchange).

To allow the user to log on to the server you can add the user/group to the "allow log on through Remote Desktop Services" setting (Computer Configuration, Windows Settings, Security Settings, User Rights Assignment) in local policy (GPEDIT.MSC) or in a group policy.

That doesn't make the user a local admin though, so while he/she can log on there's a UAC prompt when trying to do pretty much anything (like running MMC or the Server Backup console).

So does he have to use remote admin tools, or is there a way to allow him to log on by Remote Desktop to run e.g. MMC locally?
0
 
LVL 22

Assisted Solution

by:Larry Struckmeyer MVP
Larry Struckmeyer MVP earned 150 total points
ID: 40450226
I think you are overthinking this.  Either you trust this person(s) or not.  If you can't trust them they have NO business connecting to your servers with anything but shares.  Full Stop.
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 150 total points
ID: 40451602
You could remove that user from all the Exchange security groups such as Organization Management, but as a Domain Admin they could easily add themselves back into these groups.

Maybe Active Directory Delegation of Administration could help. Just delegate to them a few OUs where all the users or computer accounts are located. That way they can't access the Exchange Security OU. Never tried it. But only thing I can thing of.
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Implementing-Active-Directory-Delegation-Administration.html

I would guess SBS isn't set this way but the full version of Exchange also lets you choose to completely separate AD administration from Exchange administration.
0
 
LVL 1

Author Comment

by:David Haycox
ID: 40451787
Larry: I'm inclined to agree with you, but it's not my decision here - I'm just implementing it.  Having said that, I can understand the reasons behind trusting a technical admin to reset a password but not trusting the same person with the ability to view the management's confidential emails (possibly about other members of staff).  At the end of the day, if it can't be done on SBS, then so be it.

I will try out the delegation and post back the results.
0
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 40452151
Admins need to reset passwords very seldom.  ctrl-alt-del on the workstation brings up a change password button.  If we are discussing the occasions where you wish to lock someone out or the user has somehow forgotten his password, ime that happens very seldom.  If you really can't trust the assistant admin how about your external IT support for those few times that the regular internal admin is not available?
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40452170
You can add the user to the Server Operators group, but that will not allow access to the SBS console.  But they could reset passwords via users and computers. They could also deal with file and folder permissions.  But they can't create new users
0
 
LVL 1

Author Comment

by:David Haycox
ID: 40452928
The AD delegation works well (I just delegated down from the MyBusiness OU), allowing changes to user accounts but nothing involving admin accounts or groups.

I found a group called "Domain Power Users" (not sure if this is a default with Server 2008, SBS2011, or perhaps left over from SBS2003 - in any case it had no members) which is a member of the following groups:

Account Operators
Fax Operators
Folder Operators
Mail Operators
Print Operators
Remote Operators
SharePoint Administrators

I removed "Mail Operators" from the group and make the user in question a member.  I also added "DHCP Administrators", "Backup Operators" and "DnsAdmins" to the group.

This allows the user to administer the AD (in part), DHCP and DNS from their PC or a Remote Desktop server running Remote Server Administration Tools.

I haven't tested the rest yet, will update when have full details.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40452958
Just understand that they cannot access the SBS console with this settings and therefore can't create new users.
0
 
LVL 1

Author Comment

by:David Haycox
ID: 40461521
Understood; we're after day-to-day admin, it's not that often that we need a new user and there's always plenty of notice when we do.
0
 
LVL 1

Author Closing Comment

by:David Haycox
ID: 41041592
We eventually gave up on this; we were trying to go behind the back of the SBS console and wizards (which is usually a bad idea) and so just assigned full admin rights or not depending on the user.

Thanks for the ideas!
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question