Solved

organisation management 2013

Posted on 2015-02-17

2 solutions

59 Views

Last Modified: 2015-02-25

In relation to the group/role "organisation management" in exch2013, what permissions does this give the user, and what types of user typically require this permission? Or put another way, what could a malicious user do to your exchange environment if they got hold of an account with organisation management permissions.

I am reviewing security permissions and noticed generally the whole IT section (25+ employees) have been added organisation permissions - but I need to determine if this is common, or if you have only a few trusted users with organisation management permissions - and if so for what tasks do they require such access.

Comment

Question by:pma111

[X]

Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

Help others & share knowledge
Earn cash & points
Learn & ask questions

Join The Community

2 Comments

LVL 53

Assisted Solution

by:Will Szymkowski

Will Szymkowski earned 250 total points

ID: 406143232015-02-17

Org Management, is the top level administrative Group for Exchange 2013 (think of it as a domain admin account for an AD Domain). Users/Group that are associated with this built-in group have access to perform any administrative task in your Exchange Organization. If you have Users that are not Exchange Admins in your environment I would not have them part of this group.

Take a look at the technet below which explains Org Management Group in more detail.
https://technet.microsoft.com/en-us/library/dd335087%28v=exchg.150%29.aspx

Will.

LVL 24

Accepted Solution

by:VB ITS

VB ITS earned 250 total points

ID: 406143812015-02-17

I am reviewing security permissions and noticed generally the whole IT section (25+ employees) have been added organisation permissions

That's way too many people. As Will has outlined above, the Organization Management group has almost complete access to your Exchange environment so only add the users that need to be in this group. For all others I would look at creating some custom RBAC roles and applying only the required access to these roles.

Start off here first to get a better understanding of the RBAC model in Exchange: https://technet.microsoft.com/en-us/library/dd298183(v=exchg.150).aspx

This article walks you through the process of creating a custom RBAC role group and adding specific permissions to this group so as to limit what users can do. Note that this is a four-part article: http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/rbac-made-easy-part1.html

Featured Post

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unorthodox Phishing Attempt Seeks Email Password

Article by: Dermot

Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.

Exchange 2013: Fix for an Invalid certificate and related issues

Article by: ☠MAS☠

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…

Setup SMTP relay to office 365

Video by: Alan

how to add IIS SMTP to handle application/Scanner relays into office 365.

How to sync iPhone, Android, BlackBerry with Public Folders on Exchange Server

Video by: CodeTwo

This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…