Announcement

Collapse
No announcement yet.

Administrator privileges child domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Administrator privileges child domain

    Hi all,

    In the last couple of weeks i'm upgrading our existing Exchange 2000 server to a Exchange 2007 server. Our Exchange 2007 server is online, and even running some mailboxes.

    At this moment I'm checking permissions. I have one root domain and one child domain.

    When I check the rights I notice that the Administrator of the child domain can edit to much of my exchange settings like:
    - mount/unmount databases
    - all settings in the Microsoft Exchange --> Organization Configuration --> Mailbox -->* menu
    - all settings in the Microsoft Exchange --> Organization Configuration --> Client Access -->* menu
    - all settings in the Microsoft Exchange --> Organization Configuration --> Hub Transport --> menu

    And probably more then what i summarize.

    Other users in the Domain Admins group in that child domain have no rights, like it should be.

    When I check the default exchange groups in domain.local\Microsoft Exchange Security Groups\ none of the groups has childdomain\administrator as it's member.

    Anyone have any ideas why this could be?

    Best regards,

    Bert

  • #2
    Re: Administrator privileges child domain

    Hi,

    Checked on my Lab Environment which is same as yours.

    It's suppose to be like that by default. You would find the root administrator to be the member of all the Microsoft Exchange Security groups. These permissions are granted when you install E2K7. It's asks you which user/admin you want to give grant permission to control/install E2K7 in the existing/new org
    Thanks & Regards
    v-2nas

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect
    Blog: http://www.exchadtech.blogspot.com

    Show your appreciation for my help by giving reputation points

    Comment


    • #3
      Re: Administrator privileges child domain

      Yes, correct and that's OK for me.

      But it is the Administrator account of the child domain who also has a lot of permissoins without beging in those security groups.

      Comment


      • #4
        Re: Administrator privileges child domain

        That could be possible if someone has delegated the Exchange Full Administrator privilege to Child Domain's Admin
        Thanks & Regards
        v-2nas

        MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
        Sr. Wintel Eng. (Investment Bank)
        Independent IT Consultant and Architect
        Blog: http://www.exchadtech.blogspot.com

        Show your appreciation for my help by giving reputation points

        Comment


        • #5
          Re: Administrator privileges child domain

          Originally posted by v-2nas View Post
          That could be possible if someone has delegated the Exchange Full Administrator privilege to Child Domain's Admin
          v-2nas,

          Is it possible to tell me where I can check if that is the case? When i check this on the exchange server objects or exchange server OU I can't find that setting.

          Gr,

          Comment


          • #6
            Re: Administrator privileges child domain

            Select Organization Configuration and check on the right hand side under Exchange Administrator
            Thanks & Regards
            v-2nas

            MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
            Sr. Wintel Eng. (Investment Bank)
            Independent IT Consultant and Architect
            Blog: http://www.exchadtech.blogspot.com

            Show your appreciation for my help by giving reputation points

            Comment


            • #7
              Re: Administrator privileges child domain

              Oh OK, that's something i checked from the beginning. The Administrator of the child domain is not listed there. Also he is not a member of one of the groups listed as Exchange administrators.

              Comment


              • #8
                Re: Administrator privileges child domain

                Then not sure, probably someone might have explicitly made child admin the members of the group or you must have installed some software which might have added those permissions.
                Thanks & Regards
                v-2nas

                MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                Sr. Wintel Eng. (Investment Bank)
                Independent IT Consultant and Architect
                Blog: http://www.exchadtech.blogspot.com

                Show your appreciation for my help by giving reputation points

                Comment

                Working...
                X