Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Exchange 2007 Permission issues

Network Sharing , TCP/IP, Internet, Wireless, Exchange, IIS, ISA and Print

Exchange 2007 Permission issues

Postby fenton » Sun Jun 14, 2009 9:47 am

Q: I have Exch2007 setup in a Domain with 2 sites.
Site 1:
1 Win2k8 domain controller

Site 2:
1 Win2k8 domain controller
1 Win2k8 Exchange 2007 server

issue is that when i add any account or group to have SendAs rights on a
mailbox. after a period of maybe 4hr or less, the SendAs permissions are
removed from the mailbox. i have used both the EMC and the shell to add the
permissions with the same results. I had setup SendAs rights for other users
and mailboxes several days earlier than the 1st attempt on this box and
those have not had the issue. i have not found any replication errors or any
thing that looks like it could be related in the event logs.
Any help would be appreciated.

A: this issue could occur when the users are member of
protected group.



1. Active Directory uses a protection mechanism to make sure that ACLs
are set correctly for members of sensitive groups. The operations master
compares the ACL on the user accounts that are members of protected groups
against the ACL on the AdminSDHolder object.


2. Every hour, the PDC emulator compares the ACL on the user accounts
present for its domain in Active Directory that are in administrative
groups against the ACL on the following object:

CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com

(Replace "DC=MyDomain,DC=Com" in this path with the distinguished name (DN)
of your domain.)

3. If the ACL is different, the ACL on the user object is overwritten
to reflect the security settings of the AdminSDHolder object (which
includes disabling ACL inheritance).This process protects these accounts
from being modified by unauthorized users if the accounts are moved to a
container or organizational unit where a malicious user has been delegated
administrative credentials to modify user accounts.

This is expected behavior that Domain Admins or other built-in
administrative groups have their own ACL unchanged.

The following list describes the protected groups in Windows 2000:

1. Enterprise Admins
2. Schema Admins
3. Domain Admins
4. Administrators



The following list describes the protected groups in Windows Server 2003
and in

Windows 2000 after applying the 327825 hotfix:

1. Administrators
2. Account Operators
3. Server Operators
4. Print Operators
5. Backup Operators
6. Domain Admins
7. Schema Admins
8. Enterprise Admins
9. Cert Publishers

Additionally the following users are also considered protected:

1. Administrator
2. Krbtgt

Note that membership in distribution groups does not populate a user token.
As a result, you cannot use tools such as "whoami" to successfully
determine group membership.


For more information, see the following Knowledge Base article:
http://support.microsoft.com/kb/318180/en-us

"AdminSDHolder Thread Affects Transitive Members of Distribution Groups."


For more information, see the following Knowledge Base article:
http://support.microsoft.com/kb/907434/en-us

So please

1. Make sure Members Are Not Members of a Protected Group

If you using permissions that are delegated at the organizational unit
level, make sure that all users who require the delegated permissions are
not members of one of the protected groups. For users who were previously
members of a protected group, the inheritance flag is not automatically
reset when the user is removed from a protected group. It is necessary to
restore inheritance on the user manually by using either Active Directory
Users and Computers or a script that uses Dsacls.exe.

This method is preferred and does not weaken existing security.


2. Enable Inheritance on the AdminSDHholder Container

If inheritance is enabled on the adminSDHolder container, all members of
the protected groups have inherited permissions enabled.


For security reasons, Microsoft does not recommend this method.


You can enable inheritance or change the permissions on protected groups by
editing the security of the adminSDholder container. The path of the
adminSDHolder container is

CN=AdminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>
fenton
 
Posts: 421
Joined: Mon Dec 04, 2006 3:25 pm

Re: Exchange 2007 Permission issues

Postby fenton » Sun Jun 14, 2009 9:47 am

Thanks got it resolved. some how the domain users group was added as a
member of builtin\administrators. once i removed it from the admins group
issue was resolved.
fenton
 
Posts: 421
Joined: Mon Dec 04, 2006 3:25 pm


Return to Networking

Your Ad Here

Who is online

Users browsing this forum: No registered users and 4 guests