Announcement

Collapse
No announcement yet.

Limiting ExchangeAdmins Role

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Limiting ExchangeAdmins Role

    Dear All,

    I'm in a windows 2003 server environment with forest and domain 2003 functional level.

    I'm one of my network administrators and ofcourse a DomainAdmins member, i added some users to the ExchangeAdmins group in order to manage existing users's exchange attributes (Alias, e-mail, etc...) only but i discovered that after all of that they still can't do any of the tasks i thought the ExchangeAdmins group can do, i added them to the DomainAdmins group so ofcourse they did whatever they want and more but as you all know they now had too much administrative privillege, i found that they created users, deleted others and more.

    Could anyone please give a solution for that situation or any work around to solve this problem.

    Thx in advance,

  • #2
    Re: Limiting ExchangeAdmins Role



    try this for starters:

    http://support.microsoft.com/kb/823018/

    You may also want to look at delegating permissions within AD to specific OU or sites depending on your administrative model.

    This may get you on your way:

    http://www.microsoft.com/technet/pro...y/actdid1.mspx

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Limiting ExchangeAdmins Role

      Hi,

      i wanna thank u m80arm for ur help but i wanna prohibit the exchange admins group from creating new users (acting as account operator), i want them only to edit the user's properties "alias, display name, x400 and all other staff".

      I already give them full administrators in the exchange system delegation and exchange admins in the active directory, what else shall i do.

      Comment


      • #4
        Re: Limiting ExchangeAdmins Role

        Originally posted by adham512
        I already give them full administrators in the exchange system delegation and exchange admins in the active directory, what else shall i do.
        adham512,

        Sorry mate just trying to understand what you have done so far. By the sounds of the it you have delegated the exchange admin role twice.

        What you should do is create three security groups:

        ExchangeFullAdmins
        ExchangeAdmins
        ExchangeReadOnly

        Then assign these permissions to the exchange organisation accrodingly. The difference betwen these three groups will be:

        ExchangeFullAdmins - Full control of exchange org (Inc ability to change security permissions)
        ExchangeAdmins - Full control of exchange org (Exc ability to change security permissions)
        ExchangeReadOnly - Read only permissions to exchange.

        Most admins will only need the ExchangeAdmins role as they should not require the privilage to change security permission. assign yourself to the ExchangeFullAdmins group or your superior.

        You then need to delegate your administrators the appropriate permissions in AD over the OU's which contain all your user accounts (Depends on what AD administrative model you operate on). This can be done via right clicking on the OU and selecting the Delegate option and follow the wizzard. You may wanna create a new security group for this instead of assigning all the permissions to individual accounts.

        Hope this makes sence

        Michael
        Michael Armstrong
        www.m80arm.co.uk
        MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment


        • #5
          Re: Limiting ExchangeAdmins Role

          I would note that ExchangeFullAdmins, ExchangeAdmins, and ExchangeReadOnly are really roles that are assigned to security groups and is done through Exchange System Manager.

          Originally posted by adham512
          i wanna prohibit the exchange admins group from creating new users (acting as account operator), i want them only to edit the user's properties "alias, display name, x400 and all other staff".
          Like Michael said, you'll have to do this through Active Directory Users and Computers but, unless I'm mistaken, the Delegation of Control Wizard won't give all the options you're looking for. The Delegation of Control Wizard can get you started but you'll have to finish by changing the Security settings manually.

          I had to do something like this for my company and it turned out to be very tedious to give the group "just the right controls".

          HTH
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: Limiting ExchangeAdmins Role

            Hi,

            I finally did it by using the ADSI snap-in but it's so hard to do and any mistake may cause you alot of trouble.

            Thank u all for help, u r da best.

            Comment


            • #7
              Re: Limiting ExchangeAdmins Role

              What did you have to do in ADSIedit? If you were just changing the security that can be done in ADU&C. Enable Advanced Features and you then can see the Security tab.
              Attached Files
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: Limiting ExchangeAdmins Role

                As JeremyW said "Unless I'm mistaken, the Delegation of Control Wizard won't give all the options you're looking for.", i need them to edit " display name, alias, email address, email forwarding, etc...", i need to customize their delegation, so i opened the ADSI Edit then i gave the Exchange Admins Group write permission on whatever item i want, i used a very good reference to accomplish this sensitive task called"Working with Active Directory Permissions in Microsoft Exchange Server ".

                Comment


                • #9
                  Re: Limiting ExchangeAdmins Role

                  Thanks for posting what you used.
                  I believe this is the reference you're talking about:
                  Online version
                  Download version
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment


                  • #10
                    Re: Limiting ExchangeAdmins Role

                    yes this is it.

                    Good luck with it )

                    Comment

                    Working...
                    X