Announcement

Collapse
No announcement yet.

Lockout domain admins?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Lockout domain admins?

    What is the best way to go about locking out domain admins and exchange admins from access other users mailboxes? Is there a specific group they are part of that I can remove them from for a short period? I have been asked to remove access as their is suspicion that there is abuse occurring...

  • #2
    Re: Lockout domain admins?

    That's a futile effort. If they're Domain and/or Enterprise Admins they can simply give back whatever you take away. My suggestion would be to review your staff and make appropriate adjustments to the members of the Domain Admins and Enterprise Admins groups and then use Delegation of Control and RBAC to grant admins the appropriate level of access to the appropriate components.

    Comment


    • #3
      Re: Lockout domain admins?

      That's what I thought as well, but had to get a second opinion... Are there any detailed auditing options that will log all administrative activities?

      Comment


      • #4
        Re: Lockout domain admins?

        Which exchange version?

        In Exch2010 you have much more flexible role based access control -- one of the options is separation of email admins and domain admins - for Split Permissions:
        http://www.google.co.uk/search?q=exc...jIH-rK0QXzp4Bg
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Lockout domain admins?

          By default no one has access to all mailboxes.
          In fact Domain Admins are specifically blocked from having access.
          Therefore if it is the case in your environment that Domain Admins have access to everything, then something has been changed.
          It is something I see quite a bit as there are many admins of Exchange servers who believe they "need" the permission to be able to "do their job", which is so not the case.

          You need to look through the permissions to see where the permission has been granted and remove it. There are a number of places it can be set. The only permissions you have to look for though are Full Mailbox and Receive As. No other permissions should be touched, otherwise you will break Exchange.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Lockout domain admins?

            @Ossian - Exchange 2007. @Sembee - Great information, thanks a bunch for that. I do need to get solid evidence in the case that admins are modifying permissions then. Any ideas on how to do that? Is there a way to log all AD changes?

            Comment


            • #7
              Re: Lockout domain admins?

              You can enable audit logging on the domain and Exchange to track the changes, but it will generate a high level of logs so you will have to use a third party tool to manage the logs.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment

              Working...
              X