organisation management 2013

In relation to the group/role "organisation  management" in exch2013, what permissions does this give the user, and what types of user typically require this permission? Or put another way, what could a malicious user do to your exchange environment if they got hold of an account with organisation management permissions.

I am reviewing security permissions and noticed generally the whole IT section (25+ employees) have been added organisation permissions - but I need to determine if this is common, or if you have only a few trusted users with organisation management permissions - and if so for what tasks do they require such access.
LVL 3
pma111Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
Advertise Here
 
VB ITSConnect With a Mentor Specialist ConsultantCommented:
I am reviewing security permissions and noticed generally the whole IT section (25+ employees) have been added organisation permissions
That's way too many people. As Will has outlined above, the Organization Management group has almost complete access to your Exchange environment so only add the users that need to be in this group. For all others I would look at creating some custom RBAC roles and applying only the required access to these roles.

Start off here first to get a better understanding of the RBAC model in Exchange: https://technet.microsoft.com/en-us/library/dd298183(v=exchg.150).aspx

This article walks you through the process of creating a custom RBAC role group and adding specific permissions to this group so as to limit what users can do. Note that this is a four-part article: http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/rbac-made-easy-part1.html
0
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Org Management, is the top level administrative Group for Exchange 2013 (think of it as a domain admin account for an AD Domain). Users/Group that are associated with this built-in group have access to perform any administrative task in your Exchange Organization. If you have Users that are not Exchange Admins in your environment I would not have them part of this group.

Take a look at the technet below which explains Org Management Group in more detail.
https://technet.microsoft.com/en-us/library/dd335087%28v=exchg.150%29.aspx

Will.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.