Re: Exchange site security settings, where is the parent?
From: ESM (ask_at_for.it)
Date: 01/05/05
- Next message: Reed Wiedower: "Re: Bad Mail"
- Previous message: Tony: "slow file copying on exchange 2000"
- In reply to: Glen Trafford: "Re: Exchange site security settings, where is the parent?"
- Next in thread: Glen Trafford: "Re: Exchange site security settings, where is the parent?"
- Reply: Glen Trafford: "Re: Exchange site security settings, where is the parent?"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 05 Jan 2005 19:04:41 GMT
There is already a Deny Send As for Domain Admins at the site AND org
levels, but furtrher down in the advanced view list is a Domain Admins with
special permissions that has send as. It seems like this is overriding the
Deny Send As. I can disable inheritance at the org level in order to remove
this special permission send as, but this seems like a bad idea
Although, now that you mention Security in AD, I see Domain Admins at the
top of the advanced list, with FULL control. Security is set as inherited,
but the checks under Domain Admins are not grayed out, telling me some of
the default inheritance is modified.
Now my issue is, why is this happening? It happens for ALL new users. We
migrated from E5.5 to 2003 but made no funny security changes in the
process. What I am having happen is different then the standard wya it is
by default, and I want to get back to that out of box security model.
"Glen Trafford" <glen@beehivesystems.com.No.Spam> wrote in message
news:41db84e1$1@info-mid...
> The parent Object could be coming from the Configuration container object
> (use ADSI edit to look at it). But think of it as being set by the
> Exchange
> Full Administrator permissions. I would not recommend changing settings
> anywhere else.
>
> To achieve the result you are after just add a Deny Send As permission in
> ESM (which is the default for Exchange Full Admins) and that will stop the
> ability of a Domain Administrator to open another users mailbox.
>
> As to Send As on the Security Tab in AD -note this is different to the
> Send
> as in ESM- , if you have full control of an OU object, you will
> automatically inherit the ability to Send As any user created in that OU.
> If
> you do not have full mailbox access or the ESM rights you will not be able
> to view the email in the mailbox, but you can spoof email as any user in
> the
> OU.
>
> Also note you can increase the logging in ESM to track the use of Send As
> (it will log it to the Event Viewer). Server properties, Diagnostic
> logging,
> MSExchangeIS, Mailbox, Send As.
>
> Glen
>
>
>
>
> "ESM" <ask@for.it> wrote in message
> news:j4zCd.177832$8G4.55083@tornado.tampabay.rr.com...
>> This is on E2003 FYI.
>>
>> I've performed the following:
>>
>> HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin
>> New dword
>> "ShowSecurityPage"
>> value=00000001
>>
>> This gives me the security tab at the Exchange Site and Exchange Org
> levels.
>>
>> I'm trying to remove "Send As" access that has been granted to Domain
>> Admins. When I look at the Site level, the highest you can go in
>> Exchange
>> Administrator, those security settings are still inheritting from some
>> parent object. Where is this parent object? Is it buried in schema or
>> elsewhere?
>>
>> I'd rather not remove inheritance on the Exchange Site (or Org) just so I
>> can remove the "Send As" granted to Domain Admins, as I do not want to
> screw
>> up potential future security settings that might come into play with
> future
>> updates, products etc. I'd much rather find the ultimate parent and
> remove
>> the access there.
>>
>>
>
>
- Next message: Reed Wiedower: "Re: Bad Mail"
- Previous message: Tony: "slow file copying on exchange 2000"
- In reply to: Glen Trafford: "Re: Exchange site security settings, where is the parent?"
- Next in thread: Glen Trafford: "Re: Exchange site security settings, where is the parent?"
- Reply: Glen Trafford: "Re: Exchange site security settings, where is the parent?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
