Announcement

Collapse
No announcement yet.

Log into Exchange servers

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Log into Exchange servers

    Hello,

    Is it best practise to create a user to manage the Exchange Servers? , or maybe it is better to install the management console in a Windows 7 or 8 and then logging into as the network admin?

    Thanks in advance.
    -
    Madrid (Spain).

  • #2
    IMHO best practice is to create an admin workstation with all the remote management tools installed - this is far easier than remoting into different servers for different tasks. Having said that, I am writing this as I am looking at a remote desktop session to my mailserver on the other monitor, so "do as I say, not as I do"

    Only issue is remembering to patch the admin workstation whenever exchange gets patched on the server, also ensuring the remote powershell configuration is correct
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      I have never seen anything about best practise on WHERE to login to.
      Plenty about how.
      All administrators should have two accounts. A regular user account which is mail enabled and used on their workstation (could also be a local admin) and an admin account which is not used for workstation type work, isn't mail enabled.
      The admin then logs in to the server or application with their own admin account.
      You could have the tools on your workstation, then use RUN AS to run them under the correct context. However as pointed out, this makes patching difficult, particularly with Exchange CUs not coming down in Windows Update.
      Therefore the method I have used on large sites is a terminal server. This has all of the admin tools on it and is patched first (So the admin tools are always the latest). One thing I have learned though is to ensure the admins don't have admin rights on the terminal server, so one person is responsible for updating it.

      Simon.
      --
      Simon Butler
      Exchange MVP

      Blog: http://blog.sembee.co.uk/
      More Exchange Content: http://exchange.sembee.info/
      Exchange Resources List: http://exbpa.com/
      In the UK? Hire me: http://www.sembee.co.uk/

      Sembee is a registered trademark, used here with permission.

      Comment


      • #4
        I saw in the past, some networks where a account named "Exchadmin" was created, and then the IT person logged in as this ExchAdmin user.
        Is this for security reason?
        -
        Madrid (Spain).

        Comment


        • #5
          It isn't something I would have done.
          If you have a single account then you have no auditing available. Therefore I would say it wasn't very secure at all.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            I would agree about the two accounts - a non-admin one for "normal" work and an administrative one (as Sembee said, using Run As or a separate session) for admin work. Exchange allows you to separate email administration/security from AD - important in some environments although I have never personally used it.
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment

            Working...
            X