Announcement

Collapse
No announcement yet.

Exchange administrator

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange administrator

    Hello,

    Every time I install Exchange servers (lab environments, studying) I do it through the Domain Administrator, hence, I would say, not best practise.

    How could I do it?. I ran into a subject called "service accounts" and I am not sure if that would be the best option, security wise.

    Is there a buit-in Active directory account to run the Exchange Servers, with security ?.

    Thanks in advance.
    -
    Madrid (Spain).

  • #2
    Why do you think that isn't best practise?
    You need to be a domain admin to install Exchange for the first time because it makes changes to the domain.

    Service Accounts are not required because Exchange uses the built in Service Accounts to run.
    Once you have installed Exchange you can set permissions for users, but to install updates will usually require a domain account - particularly service packs/cumulative updates which often have schema updates.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Originally posted by loureed4 View Post
      Hello,

      Every time I install Exchange servers (lab environments, studying) I do it through the Domain Administrator, hence, I would say, not best practise.

      How could I do it?. I ran into a subject called "service accounts" and I am not sure if that would be the best option, security wise.

      Is there a buit-in Active directory account to run the Exchange Servers, with security ?.

      Thanks in advance.
      Where did you get the idea that this isn't best practice? Can you cite your sources? In the typical installation of Exchange (single domain/forest) the user account used to install Exchange needs to be a member of the Schema Admins and Enterprise Admins groups, which would be your domain Administrator account. You wouldn't be able to install Exchange without using the domain Administrator account.

      Comment


      • #4
        Thanks.

        Sorry, I meant to say the account to manage Exchange on a daily basis, maybe from a workstation through the Exchange management console or through powershell.

        I always hear that the Administrator account should not be used to be logged in in a server.
        -
        Madrid (Spain).

        Comment


        • #5
          Best practise is quite simple.
          1. Change the password on the Administrator account, the lock it away. On some sites I have seen the Administrator account renamed and then disabled. A new account with no privileges called Administrator is created and then the event logs monitored for entries against that account. It can be an early sign of an attack, as the original administrator account cannot be locked out.
          2. Create a regular user account for yourself, which is mail enabled. This does NOT have any additional permissions that normal users have. You use this to login to your workstation. If you feel you need to have local admin rights on your workstation, then use that account.
          3. Create an admin level account for yourself. This is the account that is granted Domain Admin etc. You use this account to login to the servers. You could use the admin tools on your workstation, but you would need to use Run As. For Exchange 2013 and higher, there is little point installing the admin tools as you don't get anything. PowerShell connects to the server itself and everything else runs through ECP in a browser.
          On older versions, a common trick was to create an admin server. This was a regular Windows server with all of the tools on it, enabled as a RDP (Terminal) server. Admins could then login to that rather than the actual servers to do whatever they needed to do. It meant that the tools only had to be maintained on one server.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Amazing tips!! . So grateful ! .

            I had heard the first one, like (as you wrote), renaming the Administrator account to "null" or "user1" , but did not know the second part , namely, to rename a normal account as "Administrator" .

            Thanks a lot.
            -
            Madrid (Spain).

            Comment

            Working...
            X