Re: Local Admin on Domain Controller?
From: Ben Winzenz [Exchange MVP] (ben_winzenz_at_NOSPAMdotmessageonedotcom)
Date: 03/22/05
- Previous message: Jason: "Re: inetOrgPersonFix"
- In reply to: you know who maybe: "Re: Local Admin on Domain Controller?"
- Next in thread: you know who maybe: "Re: Local Admin on Domain Controller?"
- Reply: you know who maybe: "Re: Local Admin on Domain Controller?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 22 Mar 2005 15:41:08 -0600
Be careful - you are confusing separate sets of permissions.
Delegating Full Exchange Admin control to *any* account regardless of
whether it is a domain admin will force an inherited deny to log on to all
mailboxes. You need to make sure that you are separating the permissions.
Delegating control implies (or should) administrative control (i.e. make
changes to mailbox settings, add connectors, etc. etc.). However, starting
with Exchange 2000, it no longer implies full access to all mailboxes.
If you want the domain admin to have full access to all mailboxes, then you
need to also grant it Send As/Receive As permissions on the Mailbox Store.
This equates to Full Mailbox Access. In order to do this, you will have to
either modify the inherited deny to force an explicit allow on the mailbox
store, or you will have to remove the inherited deny (often inherited from
the Organization).
-- Ben Winzenz Exchange MVP "you know who maybe" <nguser2u@spamnotAOL.com> wrote in message news:113ujiktnaf8q48@news.supernews.com... > thanks, but he is a Domain Admin. I know that's how it's supposed to work, > but Exchange doesn't care: it wants a local admin. > > So far this is the only drawback I've found to running Exchange on a > domain controller: Delegate Control will add the user as a Full Exchange > Admin but it just doesn't work. The account cannot access any mailbox with > full access, as he can on an exchange server that is not a DC. > > > "PD" <nomail@mail.com> wrote in message > news:CRH%d.42913$hs5.3576979@phobos.telenet-ops.be... >>A domain controller doesn't have any local users. >> If you make your user a member of the domain admins group, then he should >> have all the necessary permissions... >> >> "you know who maybe" <nguser2u@spamnotAOL.com> wrote in message >> news:113uhpbtbs4hnb0@news.supernews.com... >>> I've fighting a number of issues related to permissions which require >>> the user to be a member of the local admin group on the exchange server, >>> but in this case the exchange server is a domain controller. >>> >>> Any ideas on what to do here? >>> >>> Thanks! >>> >>> >> >> > >
- Previous message: Jason: "Re: inetOrgPersonFix"
- In reply to: you know who maybe: "Re: Local Admin on Domain Controller?"
- Next in thread: you know who maybe: "Re: Local Admin on Domain Controller?"
- Reply: you know who maybe: "Re: Local Admin on Domain Controller?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
