In October of 2008, I wrote the article adminCount, adminSDHolder, SDProp and you! This article discussed why membership in privileged groups could cause permissions challenges. You may want to refer to it before proceeding.
With Exchange Server 2010, the overall situation has continued to get more restrictive. Exchange Server 2010 needs for users who have mailboxes to inherit permissions in order for Role-Based Access Control (RBAC) and overall Exchange access to work properly. Membership in a privileged group will stop a mailbox from inheriting permissions. Usually, normal mailbox access will work fine (i.e., using Outlook with MAPI) due to historical permissions present on a mailbox, but any other IIS based or MAPI service will fail. This includes, but is not limited to, Blackberry Enterprise Server, Exchange ActiveSync, Outlook Web App, etc.
You can see a complex way of working around this issue described in KB Article 907434: The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server.But that method is an administrative nightmare.
Realistically speaking - what can you do?
The answer is simple: Get your users out of privileged groups.
No user who is Administrator, a Domain Admin, an Enterprise Admin, or a Schema Admin should be signing into Exchange with an account that is a member of those groups. This is also true for any member of the Built-in\Administrators group that exists on Domain Controllers. Every user who has access to a high-privilege account should also have a normal user account that they use for day-to-day usage - just like everyone else.
For the other privileged groups (Account Operators, Server Operators, Print Operators, Backup Operators, Cert Publishers) - these are legacy groups. They are a carry-over from Windows NT. Don't use them. Instead, use a computer's Local Security Policy - or a Domain Security Policy when appropriate - to assign users who need those capabilities the specific rights they require.
Usually, you will find that the built-in groups provide more power than you think they do (e.g., a member of Account Operators, Server Operators, Print Operators, or Backup Operators can log in locally to a domain controller and shut it down). Mapping between the groups is fairly simple by examing User Rights Assignments in any Local Security Policy. An online version of this is available at: http://technet.microsoft.com/en-us/library/bb726980.aspx in tables 7-7, 7-8, and 7-9.
You may not normally consider <insert-any-group-name-here> to be a privileged group. But Active Directory does. Get users out of privileged groups where possible, and where not possible - assign (and require use of!) users a normal account and a privileged account.
Until next time...
As always, if there are items you would like me to talk about, please drop me a line and let me know!
Yesterday was a major day for patch releases in the Exchange and Outlook world.
For Exchange, Exchange 2010 SP1 got UR2, Exchange 2007 SP3 got its UR2. Exchange 2010 RTM got UR5, and Exchange 2007 SP2 got its UR5. For detailed information about the Exchange updates, please see Multiple December Update Rollup Releases at the Exchange Team Blog.
Also, a cumulative update for Outlook 2007 SP2 has been released that provides support for the Personal Archive in Outlook 2007. This is a removal of a very significant deployment blocker for many companies in regards to Exchange 2010. Please note that this provides support for an on-premise archive with an on-premise mailbox and for an Office 365 mailbox which has an Office 365-based archive. Having an on-premise mailbox with a cloud-based archive is not supported by this update.
This CU includes the ability for an Outlook 2007 client to access the archive in Exchange 2010. This really has been a matter of listening to customers to push to get this into the Outlook product.
With the CU, customers will be able to:
Access email messages in their online archive using Outlook 2007.
Move messages into the online archive using Outlook 2007.
Delegates can see their manager’s online archive.
There are some limitations on Outlook’s support of the archive including:
Working with Archive policies
Independent searches of the archive and the primary mailbox
This will light up the Archive for the following SKUs:
Office Ultimate (retail)
Office ProPlus (volume license)
Office Enterprise (volume license)
Outlook Standalone (retail)
Outlook Standalone (volume license)
Much (but not all) of the text in this posting is Microsoft boilerplate. But I still thought you'd want to know! :-)