Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
domain admin and exch rights
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
domain admin and exch rights - 23.Jul.2008 8:17:23 AM
|
|
|
RdS
Posts: 4
Joined: 22.Jul.2008
Status: offline
|
hi,
exch2007 sp1
i have noticed that domain admins have ability to manage my exch org. this occurs in exch2003 also. members of domain admins are very few people and they need to be members for now.
however, we cannot have them with exch admin rights. domain admins don't have rights to view others mailboxes so acls on database have not changed. but doing so is an easy security change if one has exch admin rights. domain admins nor users in question are not members of any default exch groups NOR are they returned by "get-exchangeadministrator".
is there no way to limit a domain admins ability in my exch org? would think limiting such access would be commonplace.
thanks.
|
|
|
|
|
RE: domain admin and exch rights - 23.Jul.2008 3:03:46 PM
|
|
|
Sembee
Posts: 3503
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
Unfortunately you are thinking of this the wrong way round.
The best security practise is to give people the rights that they need only, not try to restrict them down from a higher level of permissions.
If you have users who "need" domain admin rights then you need to accept the consequences of this - which includes the ability to change permissions on objects.
While it is possible to change the permissions with Exchange to limit what someone can do within that application, someone with domain admin rights will still be able to change permissions etc on the mailboxes because they have the permissions to do so - mailboxes are AD objects and a domain admin can change AD objects.
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
|
RE: domain admin and exch rights - 24.Jul.2008 8:27:38 PM
|
|
|
RdS
Posts: 4
Joined: 22.Jul.2008
Status: offline
|
thanks simon.
i understand this and know they can give themselves rights, but not all domain admins know how to admin exchange. what i need to do is prevent domain admins from being exchange admins.
is this not possible? i understand exchange config is stored in ad and that a domain admin could muck with rights, but not all domain admins are exchange admins.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
