Thanks - I will be reading this paper, and may try to leverage this
situation into real training for me and others.
On Fri, Mar 21, 2008 at 11:37 AM, Michael B. Smith
<[EMAIL PROTECTED]> wrote:
> Being local administrator on the Exchange server allows him to do things
> like install Exchange service packs and deal with service restarts, etc. In
> Exchange 2007, it's extended even more that way ('cuz they got rid of admin
> groups, you know).
>
> The "Exchange administrator" piece lets him change things in ESM.
>
> The read/write in A/D lets him change the objects he has control under.
>
> It is a number of security pieces all working together...
>
>
> Regards,
>
> Michael B. Smith
> MCSE/Exchange MVP
> http://TheEssentialExchange.com
>
>
> -----Original Message-----
> From: Kurt Buff [mailto:[EMAIL PROTECTED]
>
>
> Sent: Friday, March 21, 2008 2:28 PM
> To: NT System Admin Issues
> Subject: Re: Granting rights to services on a DC, etc.
>
> Ah - so, if he's not a local administrator on a remote Exchange box,
> or the OU in which the objects reside
> (mailboxes/accounts/DLs/contacts/etc.) hasn't been delegated to him,
> he can't do anything with them, besides viewing them like any other
> random user.
>
> That's nice. I like that.
>
> On Fri, Mar 21, 2008 at 11:23 AM, Michael B. Smith
> <[EMAIL PROTECTED]> wrote:
> > He can't modify the active directory attributes on an object that he
> doesn't
> > have write access to. :-)
> >
> > Yes! That is the paper.
> >
> >
> > Regards,
> >
> > Michael B. Smith
> > MCSE/Exchange MVP
> > http://TheEssentialExchange.com
> >
> >
> > -----Original Message-----
> > From: Kurt Buff [mailto:[EMAIL PROTECTED]
> >
> > Sent: Friday, March 21, 2008 2:16 PM
> > To: NT System Admin Issues
> > Subject: Re: Granting rights to services on a DC, etc.
> >
> >
> >
> > On Fri, Mar 21, 2008 at 10:58 AM, Michael B. Smith
> > <[EMAIL PROTECTED]> wrote:
> > > Sorry, it's been a busy couple of weeks.
> > >
> > > If you give him (or preferentially, a group that you create and make
> him
> > a
> > > member of) FC on the OU where you want him to be able to do these
> things,
> > he
> > > can make the modifications that he wants, and only affect that OU.
> There
> > is
> > > a white paper, named something like "Exchange 2003 Active Directory
> > > Permissioning Model" that can tell you the PRECISE rights that must be
> > > granted, if that is of concern.
> > >
> > > Putting the DHCP server service on the Exchange server should be fine,
> as
> > > long as he is the admin of both; and that server isn't a DC. He'll
> need
> > to
> > > be a local admin on that box, a member of "Exchange Administrators",
> and
> > a
> > > member of "DHCP Administrators".
> >
> > This sounds suspiciously like he'll be able to manage
> > mailboxes/DLs/contacts on other Exchange servers as well - however, I
> > think I need to read that paper to find out.
> >
> > All answers don't *have* to come from you, Michael, but I do
> > appreciate what you add to the list.
> >
> > Is this what you're referring to?
> >
> > "Working with Active Directory Permissions in Microsoft Exchange Server
> > 2003"
> >
> >
> http://www.microsoft.com/downloads/details.aspx?familyid=0954b157-5add-48b8-
> > 9657-b95ac5bfe0a2&displaylang=en
> >
> >
> > Thanks!
> >
> > Kurt
> >
> > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
> > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
> >
> >
> > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
> > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
> >
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
> ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
> ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
>
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
