Solved

How can we configure a domain admin user without having Exchange admin rights?

Posted on 2014-11-18
16
75 Views
Last Modified: 2015-10-15
We have a Small Business Server 2011, patched to the latest service packs and updates including those for Exchange 2010.

We have a requirement to set up a user (or group of users) that are able to perform administrative tasks on the server (add/remove users, reset passwords, set file/share permissions, check and configure backups, etc.) but without having Exchange admin rights (basically, so they are unable to grant themselves or others access to mailboxes).

Is this possible on SBS2011?  If so, how do we go about configuring it?

Thanks in advance as always.
0
Comment
Question by:David Haycox
  • 6
  • 4
  • 3
  • +2
16 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 200 total points
Comment Utility
Hi.

You can do it, but you would not make him domain admin but use the delegation of control wizard to delegate AD permissions ->add/remove users, reset passwords can be delegated. To let him set file share permissions, he will need an ACL-entry with full access for himself, that's all - he does not need to be domain admin.

To check backups, he does not need to be domain admin either, but the requirements here are not clear since we don't know your backup solution.
0
 
LVL 1

Author Comment

by:David Haycox
Comment Utility
Thanks for that.  We're using the built-in Windows Server / SBS Backup to rotated USB drives.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
And checking backups means he would need to look at the logs simply? Then he needs read access to the logfile, that's all.
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
Comment Utility
Have not checked this myself because it has never been an issue.... but wondering if the Console Add User Wizard will work if the user has no Exchange rights..... since the Add User Wizard does create the users mailbox.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Larry, you could be right - I never used an SBS apart from initial testing many years ago. So if that wizard is the only way and if it automatically tries to create an account, of course that would fail. But inside the exchange part we might be delegations, too, don't we? Sorry, I won't be able to test.
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
Comment Utility
Apart from the Wizard, which is the best way to manage an SBS, why would you want to create a new user with no mailbox?  The original question had to do with that.  I guess that as long as the activities of this "super user" did not include any exchange functions (changing a name as another example), one might be able to do what is described..... as long as you can figure out a way to enable this person to logon to the server in the first place.
0
 
LVL 1

Author Comment

by:David Haycox
Comment Utility
Interesting comments!  I would suspect the SBS wizards would break if the user is not a domain / Exchange admin, so for ease I'll remove the requirement to add new users (and anything else that involves Exchange).

To allow the user to log on to the server you can add the user/group to the "allow log on through Remote Desktop Services" setting (Computer Configuration, Windows Settings, Security Settings, User Rights Assignment) in local policy (GPEDIT.MSC) or in a group policy.

That doesn't make the user a local admin though, so while he/she can log on there's a UAC prompt when trying to do pretty much anything (like running MMC or the Server Backup console).

So does he have to use remote admin tools, or is there a way to allow him to log on by Remote Desktop to run e.g. MMC locally?
0
 
LVL 21

Assisted Solution

by:Larry Struckmeyer MVP
Larry Struckmeyer MVP earned 150 total points
Comment Utility
I think you are overthinking this.  Either you trust this person(s) or not.  If you can't trust them they have NO business connecting to your servers with anything but shares.  Full Stop.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 30

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 150 total points
Comment Utility
You could remove that user from all the Exchange security groups such as Organization Management, but as a Domain Admin they could easily add themselves back into these groups.

Maybe Active Directory Delegation of Administration could help. Just delegate to them a few OUs where all the users or computer accounts are located. That way they can't access the Exchange Security OU. Never tried it. But only thing I can thing of.
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Implementing-Active-Directory-Delegation-Administration.html

I would guess SBS isn't set this way but the full version of Exchange also lets you choose to completely separate AD administration from Exchange administration.
0
 
LVL 1

Author Comment

by:David Haycox
Comment Utility
Larry: I'm inclined to agree with you, but it's not my decision here - I'm just implementing it.  Having said that, I can understand the reasons behind trusting a technical admin to reset a password but not trusting the same person with the ability to view the management's confidential emails (possibly about other members of staff).  At the end of the day, if it can't be done on SBS, then so be it.

I will try out the delegation and post back the results.
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
Comment Utility
Admins need to reset passwords very seldom.  ctrl-alt-del on the workstation brings up a change password button.  If we are discussing the occasions where you wish to lock someone out or the user has somehow forgotten his password, ime that happens very seldom.  If you really can't trust the assistant admin how about your external IT support for those few times that the regular internal admin is not available?
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
You can add the user to the Server Operators group, but that will not allow access to the SBS console.  But they could reset passwords via users and computers. They could also deal with file and folder permissions.  But they can't create new users
0
 
LVL 1

Author Comment

by:David Haycox
Comment Utility
The AD delegation works well (I just delegated down from the MyBusiness OU), allowing changes to user accounts but nothing involving admin accounts or groups.

I found a group called "Domain Power Users" (not sure if this is a default with Server 2008, SBS2011, or perhaps left over from SBS2003 - in any case it had no members) which is a member of the following groups:

Account Operators
Fax Operators
Folder Operators
Mail Operators
Print Operators
Remote Operators
SharePoint Administrators

I removed "Mail Operators" from the group and make the user in question a member.  I also added "DHCP Administrators", "Backup Operators" and "DnsAdmins" to the group.

This allows the user to administer the AD (in part), DHCP and DNS from their PC or a Remote Desktop server running Remote Server Administration Tools.

I haven't tested the rest yet, will update when have full details.
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
Just understand that they cannot access the SBS console with this settings and therefore can't create new users.
0
 
LVL 1

Author Comment

by:David Haycox
Comment Utility
Understood; we're after day-to-day admin, it's not that often that we need a new user and there's always plenty of notice when we do.
0
 
LVL 1

Author Closing Comment

by:David Haycox
Comment Utility
We eventually gave up on this; we were trying to go behind the back of the SBS console and wizards (which is usually a bad idea) and so just assigned full admin rights or not depending on the user.

Thanks for the ideas!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now