locked
How to setup admins for seperate OU's in Exchange 2013, so that each OU's admin can only see the recipient's and groups for their particular OU? RRS feed

  • Question

  • Good evening,

    Let me first say that I have some experience with Exchange 2013, but I am by far no expert. I have setup Exchange 2013 as a multi-tenancy mail server. Currently we are hosting email for 4 separate companies on a single server. Everything is setup and working great, however we recently found an issue that I am trying to resolve.

    We would like to setup one or more users from each OU to serve as admins for their particular OU. Their purpose would be to create/modify recipient mailboxes and distributions groups. The purpose for this is so that someone from each company can login to the ECP and manage ONLY the recipients and groups for their particular OU, while the other OU's recipients and groups are not visible to them. We want these admin users to be able to manage recipients within their OU ONLY, without any knowledge of the other OUs.

    The problem is when we setup a user as an admin and grand them permissions under the admin role policies, each admin can see ALL of the OUs, ALL of the recipients on the server, and ALL of the distribution groups. Of course, that allows any admin, regardless of which company they are with to view ALL recipient email addresses, etc. and that is what we are trying to change.

    At this point, I don't know how to proceed. I read a similar post in these forums where the only response was to use a third party application to accomplish this, but if that is truly the only solution, which third party app COULD accomplish this?

    <style type="text/css">.tmid_modified { background: #E4F1FD !important; border: 1px solid #3385D6 !important; } .tmid_modifying { background: #E4F1FD !important; } .tmid_popoutblock { display: table; ; top: 1px; left: 1px; visibility: hidden; width: 120px; height: 40px; background-color: #FFFFFF; z-index: 9999; color: #666666; font-size: 16px; box-shadow: 0px 5px 10px rgba(0, 0, 0, 0.25); text-shadow: 1px 0px 0px rgba(170, 170, 170, 1); }.tmid_formFillHint { display: table-cell; vertical-align: middle; font-size: 16px; }.tmid_icon { width: 24px; height: 24px; }.tmid_popoutblockicon { display: table-cell; vertical-align: middle; width: 24px; height: 24px; padding: 8px 8px 8px 8px; }</style>

    Friday, September 11, 2015 6:37 AM

Answers

  • Ok, I understand you're using a custom scope to limit the admins to manage only the users their OU and this works but the problem is that they can read information about users in other OUs. 

    The built in management roles have implicit read scopes - there's a table in this article: https://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx. It also states "When a predefined relative scope or custom scope is used on a role assignment, the implicit write scope of the role is overridden, and the new scope takes precedence. The implicit read scope of a role can't be overridden and always applies."

    Test out recipient filters too:

    "If you specify a recipient filter using the RecipientRestrictionFilter parameter, you can use the RecipientRoot parameter to specify an organizational unit (OU) to restrict the filter to. When you specify an OU in the RecipientRoot parameter, the recipient filter attempts to match recipients that reside in that OU only, rather than within the entire implicit read scope." 

    Also, if you go through the multi tenant hosting document from MS (page 16 of https://www.microsoft.com/en-us/download/details.aspx?id=36790), it states that you should use a client that limits the OUs that the user can read. The other option it touches on is modifying permissions on the OUs in AD, so if the above ideas don't work then investigate denying your admin full control on the other OUs, i.e. deny full control for admin for company 1 on OUs for companies 2-5. I know that they can't modify the users in these OUs but denying full control will also deny read. 

    Let me know if this helps or answers your question.

    Thanks.


    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010

    Blog: http://markgossa.blogspot.com

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Saturday, September 12, 2015 1:01 PM

All replies


  • Move different company people to different OU

    Create RBAC with recipient read /write scope

    https://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx


    • Edited by Vishwanath.S Friday, September 11, 2015 8:31 AM updated
    Friday, September 11, 2015 8:30 AM
  • We have 5 different OU's setup, one for each company who's email we host and the fifth for our user. We have separate address book policies, separate global address books, separate, offline address books, etc. If the users login to ECP they can only see their individual user account information.We as the global admins can see all users, all OUs, etc.

    When the non-admin users login to their account using ECP they can modify only their individual user settings. When we create a admin role for the individual OU admins however, when those people login to ECP, they can see all of the other users, all OUs, and all groups. They do not have the ability to edit the other OU's users or groups as they are greyed out, but they can still see them.

    Using RBAC read/write scope, we can make is so that the admin users cannot edit other OU's recipients and groups, BUT they are still able to view them and see their contact information.

    We are SO CLOSE to finding the solution, but we are just missing this one small piece of the puzzle. If you know of some way to create OU admins who CANNOT see other OU recipients and groups, then I would love to know how.  Is there some aspect of RBAC that I'm missing?

    Friday, September 11, 2015 6:18 PM
  • All domain users can be seen by any domain user. I think the only way around this is to deny full control on OUs and all objects in the OU for company 2, 3, 4, 5 to admin for company 1.

    Give this a go and see if it helps.

    Let me know if it answers your question.

    Thanks.


    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010

    Blog: http://markgossa.blogspot.com

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Saturday, September 12, 2015 12:01 AM
  • I'm not sure if I'm making myself clear or not here. As I mentioned before, we have 5 OU's on our Exchange 2013 server. There are about 82 standard users, 1 global administrator, and one user setup as an OU admin for each OU.

    When the standard users login to the ECP they can only see their contact information, such as name, password, phone number, etc. which is normal.

    When the global administrator logs in, they can see EVERYTHING, that's normal.

    The problem is, when the OU admins login, they can see recipients, groups, and email addresses of users in both their OU as well as in the other OUs. THAT IS THE PROBLEM WE'RE TRYING TO FIX. We want the individual OU admins to ONLY be able to see recipients and groups within their individual OUs. Right now the OU admins can see EVERY user, through they only have view permissions on users outside their particular OU. We're not talking about read/write permissions here, we're looking for a way to prevent OU admins from seeing users in other OUs.

    Saturday, September 12, 2015 2:59 AM
  • Mark,

    Thank you for your assistance, however that is not the issue. Each OU user only has access to their information when they login to the ECP. The users cannot see, access, or edit any other user information or groups, all they can change is their personal information.

    The global admins can see, access, and edit everything, which is the way it should be.

    The problem is when we setup a user and admin role policies that allow them to access groups in their OU, they are then granted read access to ALL USERS in ALL OUs. They cannot edit user information for users in other OUs, but they can still view the other users information. The problem is that they can see user information for users that belong to other companies in separate OUs on the same server.   

    We have isolated the OUs and standard users cannot see any other OU users, HOWEVER, once the OU admins are granted access to edit groups, they can then SEE other OU users. We need to isolate the OU admins so that they CANNOT see anything outside of their OU.

    We are trying to setup the OU admins so that they can create and edit recipients and distribution groups within their OU so that the global admin does not have to do everything for them.
    Saturday, September 12, 2015 3:29 AM
  • Ok, I understand you're using a custom scope to limit the admins to manage only the users their OU and this works but the problem is that they can read information about users in other OUs. 

    The built in management roles have implicit read scopes - there's a table in this article: https://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx. It also states "When a predefined relative scope or custom scope is used on a role assignment, the implicit write scope of the role is overridden, and the new scope takes precedence. The implicit read scope of a role can't be overridden and always applies."

    Test out recipient filters too:

    "If you specify a recipient filter using the RecipientRestrictionFilter parameter, you can use the RecipientRoot parameter to specify an organizational unit (OU) to restrict the filter to. When you specify an OU in the RecipientRoot parameter, the recipient filter attempts to match recipients that reside in that OU only, rather than within the entire implicit read scope." 

    Also, if you go through the multi tenant hosting document from MS (page 16 of https://www.microsoft.com/en-us/download/details.aspx?id=36790), it states that you should use a client that limits the OUs that the user can read. The other option it touches on is modifying permissions on the OUs in AD, so if the above ideas don't work then investigate denying your admin full control on the other OUs, i.e. deny full control for admin for company 1 on OUs for companies 2-5. I know that they can't modify the users in these OUs but denying full control will also deny read. 

    Let me know if this helps or answers your question.

    Thanks.


    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010

    Blog: http://markgossa.blogspot.com

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Saturday, September 12, 2015 1:01 PM
  • I appreciate everyone's input on this matter, but I have to admit I don't have as much experience with Exchange as I would like and so I am lost here on what needs to be done. I'm nervous about changing AD permissions for users and groups without a clear understanding of the effects since I cannot afford to make a mistake and cause any email down-time for out clients.

    If possible, I would greatly appreciate a little more detailed instruction on what you think I should try to accomplish what needs to be done here.

    Right now each OU has one Organization Admin who can only edit their OU's recipients, but they are still able to view recipients in other OUs, through they are unable to edit them. I need to "hide" the other OUs from each OU so that the organization admins have no read/write access to the other OUs.

    If someone could point me in the right direction with some instructions, I would greatly appreciate it.
    Monday, September 14, 2015 10:50 PM
  • Hi,

    You need to do the below:

    1) Open AD Users and Computers

    2) Click on view > advanced features

    3) Create a security group for company 1 admins

    4) Right click the OU for company 2 > propertites

    5) Click on Security > advanced

    6) Click Add then add the group for company 1 admins and click ok

    7) Click deny full control then click ok

    8) Repeat steps 4 - 7 for the other company OUs your want to deny access to

    9) Click OK till all windows closed

    You need to repeat steps 3 - 8 for all company admin groups. Do this for one group and test first then repeat for the other groups.

    More info here: https://technet.microsoft.com/en-us/library/cc757520(v=ws.10).aspx

    This should answer your question.

    Thanks.


    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010

    Blog: http://markgossa.blogspot.com

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Wednesday, September 16, 2015 8:12 AM
  • Mark,

    Thanks again for your assistance. I tried following the steps you outlined and through I did exactly as you recommended, it appears to have had no effect whatsoever. The OU admin users can still view all recipients in all OUs, through they only have read/write permissions for the recipients and groups within their own OU.

    This problem is definitely frustrating. Everyone on the internet seems to have "the answer", but so far nothing seems to make a difference. It appears that users can either only see their information (username, password, email address, phone number, etc.) or they can see EVERYTHING in ALL OUs.

    I have created an OU1 Admin security group for testing, added the OU admin from OU #1 to it and then denied full access to all other OUs within active directory and yet, when the OU admins login to ECP, they can click on recipients and see all recipients server wide and click on groups and see all groups server wide.

    I don't know why it's so difficult to isolate OU admins to their individual OUs, but I've been working on this problem for almost 2 weeks now with no success at all.

    Thursday, September 17, 2015 8:24 AM
  • Was it ever resolved or you are using 3rd party tool?

    Regards, Prabhat Nigam XHG and AD Architect and DR Expert Website: msexchangeguru.com VBC: https://www.mcpvirtualbusinesscard.com/VBCServer/wizkid/card

    Wednesday, September 14, 2016 8:18 AM
  • I spent hours looking into this as well. It's clearly not possible through ECP. People need to just say that.

    The AD permission approach doesn't work because you are not accessing AD directly with the ECP login credentials. Instead, The Exchange Web Application looks at your role and is proxying for you. So the only way to deny AD data would be to deny the machine's own authentication to that particular AD sub-hierarchy which completely breaks the accounts within that hierarchy.

    It seems the only approach is to write your own code and expose it via a PowerShell or C# interface to a custom ASP website. This is muy muy ugly and much wheel-reinvention abounds.

    Otherwise, the only true multi-tenancy approach is to have separate active directory domains in a forest, which probably means multiple virtual machines, each the master of their own domain. And lots of repetitive configuration and management. Which gets expensive. What would be nice is to simply have a hook that forces the *web interface* only to lock down on an OU filter. Some kind of JavaScript hack would work I bet. But that is the open source philosophy, not the Microsoft philosophy.

    -DB


    Friday, September 21, 2018 9:19 PM
  • I think this sums it up pretty well. From the multi-tenancy guide:

    There are many challenges to overcome when you try to use Exchange 2010 or 2013 to host tenants. Exchange server has always been designed to enable all users in the Exchange organization to collaborate easily, and creating boundaries between tenants means going against some of the core principles used in the design and development of the product.

    Friday, September 21, 2018 9:22 PM