Managing Exchange 2007 Without Domain Admin Rights? RRS feed

  • Question

  • Hi everyone,

    We manage the Exchange 2007 environment for one of our clients and due to some internal legal requirements that client no longer wants us to have domain admin rights in their AD forest. At some point in the future we will migrate them to Exchange 2013 with a child domain where we will have domain admin rights but for now this is our situation.

    My question is this: what are the minimum permissions we can get away with and still be able to manage the Exchange servers and the Exchange organization? We don't really need access to the mailboxes themselves so that's not an issue. There is a BES in the environment that we also manage but I believe the permissions for the BESAdmin account are already setup without domain admin rights anyhow.

    We actually own the Exchange servers so we already have local admin rights on them and will continue to maintain those rights. I know there are some security groups created during the installation of Exchange that we could potentially drop our admin accounts into, like Exchange Organization Administrators, etc. Would that be a viable solution?

    Thursday, April 4, 2013 4:15 PM


  • Hi

    You would need to be Exchange Organisation Administrators to manage the Exchange environment as a minimum: Exchange 2007 Permission Considerations

    If you are planning to upgrade to 2013 you will need to be a member of Domain, Enterprise and Schema Admins or get one of there staff who is a member of these groups to prepare the AD.  This will also be required with Exchange 2013 Cumulative Updates (well it was with CU1).

    Cheers, Steve

    Thursday, April 4, 2013 5:19 PM