locked
Full Access to all!? RRS feed

  • Question

  • Hello all,

    today I did some tests with some Receive Connectors and need to check the AD permissions. I found an Full Access entry on CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local and Send/Receive as on CN=Exchange Orga,CN=Microsoft Exchange,<...> for a special user.

    Does anyone have an idea how this privilege (especially the first) can be set? I mean a different way than using ADSI Edit or Add-AdPermissions.

    Kind regards,
    Rigger

    Friday, June 19, 2015 12:54 PM

Answers

  • Well, any LDP tool can be used to edit permissions - ADSIEdit just happens to be the one most often available.  But I get the feeling you mean using some different method than how ADSIEdit does it.  I'll say that permissions can be modified by a directory import using LDIFDE, but you need to know what you're doing to get the import file configured properly.  This actually happens when Exchange is first installed - the account used to install Exchange is granted some rights (I don't remember exactly which ones) to every mailbox in the system at the org level.  We found this out by accident one day - our AD team here added a service pack update to our schema, and we found that the account used to update the schema suddenly had a lot more permissions than it should have had.

    Is it possible this is what you are seeing?  Was this "special user" of yours used to update the schema or install an Exchange system?


    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Friday, June 19, 2015 1:37 PM

All replies

  • Well, any LDP tool can be used to edit permissions - ADSIEdit just happens to be the one most often available.  But I get the feeling you mean using some different method than how ADSIEdit does it.  I'll say that permissions can be modified by a directory import using LDIFDE, but you need to know what you're doing to get the import file configured properly.  This actually happens when Exchange is first installed - the account used to install Exchange is granted some rights (I don't remember exactly which ones) to every mailbox in the system at the org level.  We found this out by accident one day - our AD team here added a service pack update to our schema, and we found that the account used to update the schema suddenly had a lot more permissions than it should have had.

    Is it possible this is what you are seeing?  Was this "special user" of yours used to update the schema or install an Exchange system?


    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Friday, June 19, 2015 1:37 PM
  • It's the account of a trainee. I'm sure he has not installed the Exchange Server ;)

    And it's a trainee of the software development department. The have IT skills but not enough AD skills to know something about ADSIEdit. Also they shoudn't have the permissions to change something like that.

    I think with full acces at that level, the account is able to do anything in the Exchange enviroment like open other mailboxes, change configuration and much more!?

    Friday, June 19, 2015 1:45 PM
  • That's possible.  Have you checked to see if this account is a member of any of the Exchange security groups used by RBAC?  It probably isn't, but I'd check nonetheless.  And I'd definitely remove the strange permissions you've found for this account from it ASAP ...


    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Friday, June 19, 2015 8:04 PM
  • As expected, the account isn't member of any group used by RBAC. Now the permission is removed.

    I've no idea how that came about...

    • Edited by rigger1982 Monday, June 22, 2015 5:36 AM
    Monday, June 22, 2015 5:35 AM
  • Hello,

    You can enable the auditing logging to monitor the permission changes:

    https://technet.microsoft.com/en-us/library/cc778162(v=ws.10).aspx

     

    Thanks,

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Simon Wu
    TechNet Community Support

    Thursday, June 25, 2015 9:25 AM
    Moderator
  • Simon is right, but this won't tell you how this account got set previously.  However, it will let you figure out what happens if it gets set again.

    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Thursday, June 25, 2015 12:08 PM