Re: Exchange site security settings, where is the parent?

From: Glen Trafford (glen_at_beehivesystems.com.No.Spam)
Date: 01/05/05 

Date: Wed, 5 Jan 2005 17:10:41 +1100

The parent Object could be coming from the Configuration container object
(use ADSI edit to look at it). But think of it as being set by the Exchange
Full Administrator permissions. I would not recommend changing settings
anywhere else.

To achieve the result you are after just add a Deny Send As permission in
ESM (which is the default for Exchange Full Admins) and that will stop the
ability of a Domain Administrator to open another users mailbox.

As to Send As on the Security Tab in AD -note this is different to the Send
as in ESM- , if you have full control of an OU object, you will
automatically inherit the ability to Send As any user created in that OU. If
you do not have full mailbox access or the ESM rights you will not be able
to view the email in the mailbox, but you can spoof email as any user in the
OU.

Also note you can increase the logging in ESM to track the use of Send As
(it will log it to the Event Viewer). Server properties, Diagnostic logging,
MSExchangeIS, Mailbox, Send As.

Glen

"ESM" <ask@for.it> wrote in message
news:j4zCd.177832$8G4.55083@tornado.tampabay.rr.com...
> This is on E2003 FYI.
>
> I've performed the following:
>
> HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin
> New dword
> "ShowSecurityPage"
> value=00000001
>
> This gives me the security tab at the Exchange Site and Exchange Org
levels.
>
> I'm trying to remove "Send As" access that has been granted to Domain
> Admins. When I look at the Site level, the highest you can go in Exchange
> Administrator, those security settings are still inheritting from some
> parent object. Where is this parent object? Is it buried in schema or
> elsewhere?
>
> I'd rather not remove inheritance on the Exchange Site (or Org) just so I
> can remove the "Send As" granted to Domain Admins, as I do not want to
screw
> up potential future security settings that might come into play with
future
> updates, products etc. I'd much rather find the ultimate parent and
remove
> the access there.
>
>

Relevant Pages

  • Unmapped SID account at organization level
    ... In exchange 2000 system manager, when I open the security tab of my ... user account sid. ... anyone know what the parent object for an exchange organization is and ...
    (microsoft.public.exchange.admin)
  • Re: Mailbox Permissions have changed. Allow and Deny both checked but at both grey.
    ... security tab. ... the advanced security of a user's mailbox rights in ADUC. ... being inherited from the parent object but I can't seem to find the right ... Exchange 2003 and Server 2003 ...
    (microsoft.public.exchange.admin)
  • Re: Exchange Server - What is its "Parent Object"?
    ... Right-click on our main Exchange 2003 server and click Properties>Security ... Now I know that this "S user" indicates an account that no longer exists. ... able to find where the "Parent Object" for our Exchange Server is. ...
    (microsoft.public.exchange.admin)
  • Re: Unmapped SID account at organization level
    ... The Microsoft Exchange object. ... > user account sid. ... > anyone know what the parent object for an exchange organization is and ...
    (microsoft.public.exchange.admin)
  • Exchange 2003 server security
    ... exchange 2003 servers into it, in readiness for us starting our migration. ... the permission entries are inheriting their permissions from a parent object. ...
    (microsoft.public.exchange.setup)