Re: Exchange 2003 "Send as" rights for local administrators PROBLEM

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Keith (kschulenburg_at_alcco.com)
Date: 05/21/04

  • Next message: David Sengupta [MVP]: "Re: address lists, public folders or other?" 
    Date: Fri, 21 May 2004 15:31:02 -0700

    We are having a similar problem. We upgraded from Exchange 5.5 to 2000 a while back, and eventually got off of 5.5 and went native. We are also on Windows 2000 AD in native mode. Recently we added a second Exchange server and installed 2003.

    Our problem is that anyone in the Domain admins group can send as anyone in the company, they can also open any other users folders from Outlook. This is a big security problem for us. I have created an eplicit denial of send and receive as for Domain Admins, and applied it at the very top of the Exchange hierarchy, and it inherits down all the way to the Information Store level. Domain admins now cannot open other folders but they can still send as all day long. This explicit denial should take precedance over any allow anywhere else but it does not work. What am I missing ?
         
         ----- Baris Eris [MS] wrote: -----
         
         Actually domain admins group has explicit deny permissions set to prevent
         this -- can you describe your problem in more detail?
         
         Baris.
         
         --
         This posting is provided "AS IS" with no warranties, and confers no rights.
         
         "crs" <cactus@cactus.com> wrote in message
         news:ORN2torMEHA.3668@TK2MSFTNGP11.phx.gbl...
    > On exchange 2003 servers, the local administrators group has "send as"
    > rights on the server. Since Domain admins group is in the local
    > administrators group this creates a Security issues.
    >> I know this affected Exchange 2000 and was addressed with a hot fix.
    >> Has anyone seen this in Exchange 2003 and / or have a work around.
    >> Thanks.
    >>

  • Next message: David Sengupta [MVP]: "Re: address lists, public folders or other?"

    Relevant Pages

    • Re: PCs in AD but not in Network Places
      ... then the Domain Admins group will not be a member of its local ... Administrators group, and you will not be considered an administrator. ... > The PDC (2003 Server) has all PCs listed in the AD, but in Network ...
      (microsoft.public.win2000.networking)
    • ADMT - 2000 to 2003
      ... server to a dc. ... I am also unable to add the domain admins group from the newdomain into the ... connect to shares on other servers in the old domain. ...
      (microsoft.public.win2000.active_directory)
    • Re: windows user permissions
      ... The domain admins group has a unique SID belonging to that specific domain, ... As a result it is futile to try to remove local admins from the permissions. ... different server, or on a DC. ...
      (microsoft.public.windows.server.security)
    • Re: Delegate control of Domain Controllers
      ... Right now the IT Staff are members of the Domain Admins group and I need to remove them from that group. ... And because this domain controller also is used as a file server, they will need the equivalent of local administrator rights to the entire server. ... I would also like to remove this service account from the Domain Admins group, but I don't want to breaks Backup Exec. ... Is there any distinction between the Administrators group and the Domain Admins group. ...
      (microsoft.public.windows.server.active_directory)
    • RE: Workstation disconnected daily, same time?
      ... > One workstation disconnects - loses data on word files, ... > even placed him in the domain admins group. ... > installed from the server, ... > not finding a server or a DNS error, ...
      (microsoft.public.windows.server.sbs)