Re: Exchange Server - What is its "Parent Object"?

Comments inline below.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Paulr" <paulr@xxxxxxxxxxxx> wrote in message
news:%23r6HGCGgIHA.4436@xxxxxxxxxxxxxxxxxxxxxxx
OK - this one has been annoying for a little whille now.
Hopefully somebody here might be able to point me in the right direction.

If I go:

Start>Exchange System Manager
Administrative Groups>First Administrative Group>Servers

I expand out the list of our servers.
Right-click on our main Exchange 2003 server and click Properties>Security
Here I get various users and services/systems that have security settings
on the exchange server.
In this list is a good old "S user":
S-1-5-21-1123561945-1659004503-682003330-7156

Now I know that this "S user" indicates an account that no longer exists.

Usually that's a SID for a user account in a domain that is no longer
truted. It could be for a deleted account as well that didn't get cleaned
up, but that's not nearly as common.

If I had to make a guess I'd say it was related to an old Backup Exec
installation we used many, many years ago.
Now I'd like to remove this old user - mainly because it seems to have
rights to every single mailbox, so everytime I check security anywhere I
see this entry which just doesn't need to be there any more.

When I click on this user in the Security pane and then click on
"Advanced" I am told that this object inherits its permissions from the
"Parent Object".
The thing is - and I'm probably being really silly, but I don't seem to be
able to find where the "Parent Object" for our Exchange Server is.

The parent object for servers is an object named Servers under the
administrative group, which is likely the parent from which the permissions
are being inherited.

I've looked further up the Exchange System Manager Tree - each branch
above the Exchange Server, however none of the branches above have a
"Security" tab.

Have you run the Delegation Wizard? Can you find the account there?

I've also looked under "Delegate Control" at both the First Administrative
Group and the very top object - but this user is not listed there either.

Oh. Never mind. Ignore the previous question.

How do I go about finding where the reference to this "S User" is located
so that I can remove it and all traces of it once and for all?

Probably the best place for you to look for this is by using ADSI Edit and
connecting to the Configuration naming context. Drill down to Services >
Microsoft Exchange Server and look at the rights conferred at each node.
The usual cautions apply to using ADSI Edit--you can really mess things up
with that tool if you're not very careful.


.

Loading