You can see where the Exchange Org inherits some of the permissions from. -----Original Message----- From: Jason Clishe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 4:31 PM To: Exchange Discussions Subject: RE: Exchange permissions
What about it? If I use ADSIEdit to view the permissions at the Org, I see the same thing that I see in ESM: Domain and Enterprise Admins are inheriting allow rights for Send As and Receive As. If I go up one level in ADSIEdit, to the CN=Microsoft Exchange container and view the ACL there, the Send As and Receive As ACE's aren't even there. What rights do Domain Admins and Enterprise Admins have at the Org level in your environment? If someone can just tell me that it would be great. Jason > -----Original Message----- > From: Fyodorov, Andrey [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 07, 2003 3:46 PM > To: Exchange Discussions > Subject: RE: Exchange permissions > > ADSIEdit > > > > -----Original Message----- > From: Jason Clishe [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 07, 2003 11:14 AM > To: Exchange Discussions > Subject: Exchange permissions > > I've recently inherited an Exchange 2000 Organization. One of > the first things that I noticed was that all Domain and > Enterprise Administrators have the ability to open and read > anyone's mailboxes. I've checked the ACL on our mailbox store > (we only have one), and both Domain Admins and Enterprise > Admins have an inherited "Allow" under Send As and Receive > As. Obviously this is not the default configuration. > > I've made the registry adjustment listed in Q259221 to allow > me to see the security tab at the Org level. Even at the Org > level, Domain and Enterprise Admins are still inheriting an > allowed Send As and Receive As. > > But here's something else I noticed: when I use the > Delegation Wizard at the Org level to add an Exchange Full > Administrator, and then check the ACL on the Org, the new > administrator that I just added gets inherited allows on Send > As and Receive As, but also gets explicit denies on both of > those ACE's. From that point down the heirarchy, only the > explicit deny is inherited. > > So my question is this. At the org level, by default, are > Domain Admins and Enterprise Admins set with inherited allows > *and* explicit denies on Send As and Receive As? This would > indicate to me that perhaps a previous administrator here > simply removed the explicit deny? > > If someone could check the ACL on your Exchange Org and let > me know what permissions Domain Admins and Enterprise Admins > have, I'd much appreciate it. > > Thanks > > Jason > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
