 |
|
|
|
| Author |
Message |
Philip Amos
Joined: 06 Aug 2007
Posts: 5
|
 Posted: Thu May 06, 2004 8:27 pm Post subject: Exchange 2000 & Administrator Rights |
 |
|
Can anybody please tell me why a user which has been delegated the Exchange
Full Administrator right still needs to be a member of the local machines
Administrator group??
What I would idealy like to do if specifically grant rights over the
necessary objects withing the directory\file system\registry etc to my
Exchange administrators and not have them as members of the Administrators
group. The reason for this is that Exchange 2000 is installed on some
Domain Controllers and the local Administrators group is the one in the
Domain which then grants people rights over other stuff that I do not want
them to have access to.
The problem is that I have been unable to find any documents either in
TechNet or on the web which explain what rights a member of the local
Administrators group gets over Exchange which make membership of this group
necessary and would appreciate it if somebody can tell me what rights I need
to grant.
Thank you
Philip Amos
Archived from group: microsoft>public>exchange2000>active>directory>integration |
|
| Back to top |
|
 |
Dave Howe [MSFT]
Joined: 06 Aug 2007
Posts: 4
|
| Posted: Mon May 10, 2004 3:08 pm Post subject: Re: Exchange 2000 & Administrator Rights |
|
|
On Thu, 6 May 2004 16:27:31 +0100, "Philip Amos"
wrote:
>Can anybody please tell me why a user which has been delegated the Exchange
>Full Administrator right still needs to be a member of the local machines
>Administrator group??
>
>What I would idealy like to do if specifically grant rights over the
>necessary objects withing the directory\file system\registry etc to my
>Exchange administrators and not have them as members of the Administrators
>group. The reason for this is that Exchange 2000 is installed on some
>Domain Controllers and the local Administrators group is the one in the
>Domain which then grants people rights over other stuff that I do not want
>them to have access to.
>
>The problem is that I have been unable to find any documents either in
>TechNet or on the web which explain what rights a member of the local
>Administrators group gets over Exchange which make membership of this group
>necessary and would appreciate it if somebody can tell me what rights I need
>to grant.
Can you explain exactly what kind of rights would you want them to
have? Strictly mailbox creation, or do you want them to have the
ability to mount/dismount stores, etc.?
---
Dave Howe
Microsoft PSS
This posting is provided "AS IS" with no warranties, and confers no rights. |
|
| Back to top |
|
|
Philip Amos
Joined: 06 Aug 2007
Posts: 5
|
| Posted: Tue May 11, 2004 3:01 pm Post subject: Re: Exchange 2000 & Administrator Rights |
|
|
Basically the way our company works is that each office has an OU and an
Exchange Administrative group. The Administrators at each office have been
granted Full Control over all Users, Contacts & Groups within their OU.
They have also been delegated the Exchange Full Administrator over their
Administrative Group in Exchange System Manager.
We basically need each of these Administrators to be able to manage all
aspects of Exchange 2000 within this Administrative group\OU but as Exchange
is installed on a DC we do not want to make them members of the
Domain\Administrators Group. This includes managing mailboxes, managing
stores, stopping and starting services (We know how to do this part),
carrying out maintenance of Exchange Databases as and when needed.
Thank you
Philip Amos
"Dave Howe [MSFT]" wrote in message@4ax.com...
> On Thu, 6 May 2004 16:27:31 +0100, "Philip Amos"
> wrote:
>
> >Can anybody please tell me why a user which has been delegated the
Exchange
> >Full Administrator right still needs to be a member of the local machines
> >Administrator group??
> >
> >What I would idealy like to do if specifically grant rights over the
> >necessary objects withing the directory\file system\registry etc to my
> >Exchange administrators and not have them as members of the
Administrators
> >group. The reason for this is that Exchange 2000 is installed on some
> >Domain Controllers and the local Administrators group is the one in the
> >Domain which then grants people rights over other stuff that I do not
want
> >them to have access to.
> >
> >The problem is that I have been unable to find any documents either in
> >TechNet or on the web which explain what rights a member of the local
> >Administrators group gets over Exchange which make membership of this
group
> >necessary and would appreciate it if somebody can tell me what rights I
need
> >to grant.
>
> Can you explain exactly what kind of rights would you want them to
> have? Strictly mailbox creation, or do you want them to have the
> ability to mount/dismount stores, etc.?
> ---
>
> Dave Howe
> Microsoft PSS
>
> This posting is provided "AS IS" with no warranties, and confers no
rights. |
|
| Back to top |
|
|
Alan Sun [MSFT]
Joined: 05 Aug 2007
Posts: 10
|
| Posted: Fri May 07, 2004 11:25 am Post subject: RE: Exchange 2000 & Administrator Rights |
|
|
Hi Philip,
Thanks for your posting here.
Based on my knowledge, in order to be an Exchange Full Administrator or
Exchange Administrator (who both have read/write access to objects) on an
organization or administrative group, a user must be a local machine
administrator for each Exchange Server he or she needs to manage.
Therefore, the Full Exchange Administration should be a member of local
administrator. This behavior is by design.
For more information, please to the following articles:
289811 XGEN: Exchange 2000 Role Permissions
http://support.microsoft.com/?id=289811
Hope this helps! Have a nice day!
Thanks & Regards
Alan Sun
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
|From: "Philip Amos"
|Subject: Exchange 2000 & Administrator Rights
|Date: Thu, 6 May 2004 16:27:31 +0100
|Lines: 22
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
|Message-ID:
|Newsgroups:
microsoft.public.exchange2000.active.directory.integration,microsoft.public.
exchange2000.general,microsoft.public.exchange2000.setup.installation
|NNTP-Posting-Host: 193.82.89.222
|Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
..phx.gbl
|Xref: cpmsftngxa10.phx.gbl
microsoft.public.exchange2000.general:55170
microsoft.public.exchange2000.setup.installation:31630
microsoft.public.exchange2000.active.directory.integration:16284
|X-Tomcat-NG: microsoft.public.exchange2000.general
|
|Can anybody please tell me why a user which has been delegated the
Exchange
|Full Administrator right still needs to be a member of the local
machines
|Administrator group??
|
|What I would idealy like to do if specifically grant rights over the
|necessary objects withing the directory\file system\registry etc to my
|Exchange administrators and not have them as members of the
Administrators
|group. The reason for this is that Exchange 2000 is installed on some
|Domain Controllers and the local Administrators group is the one in
the
|Domain which then grants people rights over other stuff that I do not
want
|them to have access to.
|
|The problem is that I have been unable to find any documents either in
|TechNet or on the web which explain what rights a member of the local
|Administrators group gets over Exchange which make membership of this
group
|necessary and would appreciate it if somebody can tell me what rights
I need
|to grant.
|
|Thank you
|Philip Amos
|
|
| |
|
| Back to top |
|
|
Philip Amos
Joined: 06 Aug 2007
Posts: 5
|
| Posted: Fri May 07, 2004 4:48 pm Post subject: Re: Exchange 2000 & Administrator Rights |
|
|
I cannot see why the user needs to be a member of the local Administrators
group and I cannot simply grant some permissions\user rights etc to the
relavent places in the Directory or File System, after all being a member of
the Administrators group basically just gives you a bunch of pre-defined
rights and permissions.
The document you talk about is very good at explaining what rights you get
in Exchange when you delegare a role but it does not talk about the rights
outside of Exchange.
"Alan Sun [MSFT]" wrote in message@cpmsftngxa10.phx.gbl...
> Hi Philip,
>
> Thanks for your posting here.
>
> Based on my knowledge, in order to be an Exchange Full Administrator or
> Exchange Administrator (who both have read/write access to objects) on an
> organization or administrative group, a user must be a local machine
> administrator for each Exchange Server he or she needs to manage.
> Therefore, the Full Exchange Administration should be a member of local
> administrator. This behavior is by design.
>
> For more information, please to the following articles:
> 289811 XGEN: Exchange 2000 Role Permissions
> http://support.microsoft.com/?id=289811
>
> Hope this helps! Have a nice day!
>
> Thanks & Regards
> Alan Sun
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
>
> --------------------
> |From: "Philip Amos"
> |Subject: Exchange 2000 & Administrator Rights
> |Date: Thu, 6 May 2004 16:27:31 +0100
> |Lines: 22
> |X-Priority: 3
> |X-MSMail-Priority: Normal
> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> |Message-ID:
> |Newsgroups:
>
microsoft.public.exchange2000.active.directory.integration,microsoft.public.
> exchange2000.general,microsoft.public.exchange2000.setup.installation
> |NNTP-Posting-Host: 193.82.89.222
> |Path:
>
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
> phx.gbl
> |Xref: cpmsftngxa10.phx.gbl
> microsoft.public.exchange2000.general:55170
> microsoft.public.exchange2000.setup.installation:31630
> microsoft.public.exchange2000.active.directory.integration:16284
> |X-Tomcat-NG: microsoft.public.exchange2000.general
> |
> |Can anybody please tell me why a user which has been delegated the
> Exchange
> |Full Administrator right still needs to be a member of the local
> machines
> |Administrator group??
> |
> |What I would idealy like to do if specifically grant rights over the
> |necessary objects withing the directory\file system\registry etc to
my
> |Exchange administrators and not have them as members of the
> Administrators
> |group. The reason for this is that Exchange 2000 is installed on
some
> |Domain Controllers and the local Administrators group is the one in
> the
> |Domain which then grants people rights over other stuff that I do
not
> want
> |them to have access to.
> |
> |The problem is that I have been unable to find any documents either
in
> |TechNet or on the web which explain what rights a member of the
local
> |Administrators group gets over Exchange which make membership of
this
> group
> |necessary and would appreciate it if somebody can tell me what
rights
> I need
> |to grant.
> |
> |Thank you
> |Philip Amos
> |
> |
> |
> |
|
| Back to top |
|
|
Alan Sun [MSFT]
Joined: 05 Aug 2007
Posts: 10
|
| Posted: Mon May 10, 2004 2:55 pm Post subject: Re: Exchange 2000 & Administrator Rights |
|
|
Hi Philip,
Thanks for your posting back.
To delegate a user the Exchange Full Administrator permission, the user
must be a member of the local administrator group. If the Exchange is
installed on a DC, the user needs to be added to the domain Administrators
group. This behavior is by design.
Otherwise, you will receive the similar messages as the follows:
"To fully administer an Exchange server, the delegated user or group must
also be a member of the local machine administrator group."
If anything is unclear, feel free to let me know. Have a nice day!
Thanks & Regards
Alan Sun
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "Philip Amos"
References:
Subject: Re: Exchange 2000 & Administrator Rights
Date: Fri, 7 May 2004 12:48:29 +0100
Lines: 110
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Message-ID:
Newsgroups: microsoft.public.exchange2000.general
NNTP-Posting-Host: 193.82.89.222
Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.exchange2000.general:55206
X-Tomcat-NG: microsoft.public.exchange2000.general
I cannot see why the user needs to be a member of the local
Administrators
group and I cannot simply grant some permissions\user rights etc to the
relavent places in the Directory or File System, after all being a
member of
the Administrators group basically just gives you a bunch of
pre-defined
rights and permissions.
The document you talk about is very good at explaining what rights you
get
in Exchange when you delegare a role but it does not talk about the
rights
outside of Exchange.
"Alan Sun [MSFT]" wrote in message
@cpmsftngxa10.phx.gbl...
> Hi Philip,
>
> Thanks for your posting here.
>
> Based on my knowledge, in order to be an Exchange Full Administrator
or
> Exchange Administrator (who both have read/write access to objects)
on an
> organization or administrative group, a user must be a local machine
> administrator for each Exchange Server he or she needs to manage.
> Therefore, the Full Exchange Administration should be a member of
local
> administrator. This behavior is by design.
>
> For more information, please to the following articles:
> 289811 XGEN: Exchange 2000 Role Permissions
> http://support.microsoft.com/?id=289811
>
> Hope this helps! Have a nice day!
>
> Thanks & Regards
> Alan Sun
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your
newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
>
> --------------------
> |From: "Philip Amos"
> |Subject: Exchange 2000 & Administrator Rights
> |Date: Thu, 6 May 2004 16:27:31 +0100
> |Lines: 22
> |X-Priority: 3
> |X-MSMail-Priority: Normal
> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> |Message-ID:
> |Newsgroups:
>
microsoft.public.exchange2000.active.directory.integration,microsoft.public.
> exchange2000.general,microsoft.public.exchange2000.setup.installation
> |NNTP-Posting-Host: 193.82.89.222
> |Path:
>
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
> phx.gbl
> |Xref: cpmsftngxa10.phx.gbl
> microsoft.public.exchange2000.general:55170
> microsoft.public.exchange2000.setup.installation:31630
> microsoft.public.exchange2000.active.directory.integration:16284
> |X-Tomcat-NG: microsoft.public.exchange2000.general
> |
> |Can anybody please tell me why a user which has been delegated
the
> Exchange
> |Full Administrator right still needs to be a member of the
local
> machines
> |Administrator group??
> |
> |What I would idealy like to do if specifically grant rights
over the
> |necessary objects withing the directory\file system\registry
etc to
my
> |Exchange administrators and not have them as members of the
> Administrators
> |group. The reason for this is that Exchange 2000 is installed
on
some
> |Domain Controllers and the local Administrators group is the
one in
> the
> |Domain which then grants people rights over other stuff that I
do
not
> want
> |them to have access to.
> |
> |The problem is that I have been unable to find any documents
either
in
> |TechNet or on the web which explain what rights a member of the
local
> |Administrators group gets over Exchange which make membership
of
this
> group
> |necessary and would appreciate it if somebody can tell me what
rights
> I need
> |to grant.
> |
> |Thank you
> |Philip Amos
> |
> |
> |
> |
|
| Back to top |
|
|
Philip Amos
Joined: 06 Aug 2007
Posts: 5
|
| Posted: Tue May 11, 2004 2:50 pm Post subject: Re: Exchange 2000 & Administrator Rights |
|
|
This is my point exactly but I want to know why they need to be an
Administrator. I though the whole point of AD was that you can delegate
rights on a more granular level and I want to know what rights being a
member of the Administrators group gives the user in regards to Exchange
2000. Then when I know which rights are necessary I can delegate only these
rights and the users won't need to be a member of teh Administrators group.
"Alan Sun [MSFT]" wrote in message@cpmsftngxa10.phx.gbl...
> Hi Philip,
>
> Thanks for your posting back.
>
> To delegate a user the Exchange Full Administrator permission, the user
> must be a member of the local administrator group. If the Exchange is
> installed on a DC, the user needs to be added to the domain Administrators
> group. This behavior is by design.
>
> Otherwise, you will receive the similar messages as the follows:
>
> "To fully administer an Exchange server, the delegated user or group must
> also be a member of the local machine administrator group."
>
> If anything is unclear, feel free to let me know. Have a nice day!
>
> Thanks & Regards
> Alan Sun
> Microsoft Online Partner Support
>
>
> --------------------
> From: "Philip Amos"
>
> I cannot see why the user needs to be a member of the local
> Administrators
> group and I cannot simply grant some permissions\user rights etc to
the
> relavent places in the Directory or File System, after all being a
> member of
> the Administrators group basically just gives you a bunch of
> pre-defined
> rights and permissions.
>
> The document you talk about is very good at explaining what rights
you
> get
> in Exchange when you delegare a role but it does not talk about the
> rights
> outside of Exchange.
>
>
> "Alan Sun [MSFT]" wrote in message
> > Hi Philip,
> >
> > Thanks for your posting here.
> >
> > Based on my knowledge, in order to be an Exchange Full
Administrator
> or
> > Exchange Administrator (who both have read/write access to objects)
> on an
> > organization or administrative group, a user must be a local
machine
> > administrator for each Exchange Server he or she needs to manage.
> > Therefore, the Full Exchange Administration should be a member of
> local
> > administrator. This behavior is by design.
> >
> > For more information, please to the following articles:
> > 289811 XGEN: Exchange 2000 Role Permissions
> > http://support.microsoft.com/?id=289811
> >
> > Hope this helps! Have a nice day!
> >
> > Thanks & Regards
> > Alan Sun
> > Microsoft Online Partner Support
> >
> > Get Secure! - www.microsoft.com/security
> > =====================================================
> > When responding to posts, please "Reply to Group" via your
> newsreader so
> > that others may learn and benefit from your issue.
> > =====================================================
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> >
> > --------------------
> > |From: "Philip Amos"
> > |Subject: Exchange 2000 & Administrator Rights
> > |Date: Thu, 6 May 2004 16:27:31 +0100
> >
> >
>
>
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
> > phx.gbl
> > |Xref: cpmsftngxa10.phx.gbl
> > microsoft.public.exchange2000.general:55170
> > microsoft.public.exchange2000.setup.installation:31630
> > microsoft.public.exchange2000.active.directory.integration:16284
> > |X-Tomcat-NG: microsoft.public.exchange2000.general
> > |
> > |Can anybody please tell me why a user which has been
delegated
> the
> > Exchange
> > |Full Administrator right still needs to be a member of the
> local
> > machines
> > |Administrator group??
> > |
> > |What I would idealy like to do if specifically grant rights
> over the
> > |necessary objects withing the directory\file system\registry
> etc to
> my
> > |Exchange administrators and not have them as members of the
> > Administrators
> > |group. The reason for this is that Exchange 2000 is
installed
> on
> some
> > |Domain Controllers and the local Administrators group is the
> one in
> > the
> > |Domain which then grants people rights over other stuff that
I
> do
> not
> > want
> > |them to have access to.
> > |
> > |The problem is that I have been unable to find any documents
> either
> in
> > |TechNet or on the web which explain what rights a member of
the
> local
> > |Administrators group gets over Exchange which make membership
> of
> this
> > group
> > |necessary and would appreciate it if somebody can tell me
what
> rights
> > I need
> > |to grant.
> > |
> > |Thank you
> > |Philip Amos
> > |
> > |
> > |
> >
>
>
>
> |
|
| Back to top |
|
|
Alan Sun [MSFT]
Joined: 05 Aug 2007
Posts: 10
|
| Posted: Wed May 12, 2004 12:43 pm Post subject: Re: Exchange 2000 & Administrator Rights |
|
|
Hi Philip,
Thanks for your posting back.
To completely administrator the Exchange server, the Full Exchange
Administrator should have the full permissions to the folders and files on
the server which Exchange is installed on. Therefore, the Full Exchange
Administrator should be a member of local administrator. This behavior is
by design.
If anything is unclear, please post back to let me know.
Thanks & Regards
Alan Sun
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "Philip Amos"
References:
Subject: Re: Exchange 2000 & Administrator Rights
Date: Tue, 11 May 2004 10:50:46 +0100
Lines: 167
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Message-ID:
Newsgroups: microsoft.public.exchange2000.general
NNTP-Posting-Host: 193.82.89.222
Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP0
8.phx.gbl!TK2MSFTNGP09.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.exchange2000.general:55320
X-Tomcat-NG: microsoft.public.exchange2000.general
This is my point exactly but I want to know why they need to be an
Administrator. I though the whole point of AD was that you can
delegate
rights on a more granular level and I want to know what rights being a
member of the Administrators group gives the user in regards to
Exchange
2000. Then when I know which rights are necessary I can delegate only
these
rights and the users won't need to be a member of teh Administrators
group.
"Alan Sun [MSFT]" wrote in message
@cpmsftngxa10.phx.gbl...
> Hi Philip,
>
> Thanks for your posting back.
>
> To delegate a user the Exchange Full Administrator permission, the
user
> must be a member of the local administrator group. If the Exchange is
> installed on a DC, the user needs to be added to the domain
Administrators
> group. This behavior is by design.
>
> Otherwise, you will receive the similar messages as the follows:
>
> "To fully administer an Exchange server, the delegated user or group
must
> also be a member of the local machine administrator group."
>
> If anything is unclear, feel free to let me know. Have a nice day!
>
> Thanks & Regards
> Alan Sun
> Microsoft Online Partner Support
>
>
> --------------------
> From: "Philip Amos"
>
> I cannot see why the user needs to be a member of the local
> Administrators
> group and I cannot simply grant some permissions\user rights
etc to
the
> relavent places in the Directory or File System, after all
being a
> member of
> the Administrators group basically just gives you a bunch of
> pre-defined
> rights and permissions.
>
> The document you talk about is very good at explaining what
rights
you
> get
> in Exchange when you delegare a role but it does not talk about
the
> rights
> outside of Exchange.
>
>
> "Alan Sun [MSFT]" wrote in message
> > Hi Philip,
> >
> > Thanks for your posting here.
> >
> > Based on my knowledge, in order to be an Exchange Full
Administrator
> or
> > Exchange Administrator (who both have read/write access to
objects)
> on an
> > organization or administrative group, a user must be a local
machine
> > administrator for each Exchange Server he or she needs to
manage.
> > Therefore, the Full Exchange Administration should be a
member of
> local
> > administrator. This behavior is by design.
> >
> > For more information, please to the following articles:
> > 289811 XGEN: Exchange 2000 Role Permissions
> > http://support.microsoft.com/?id=289811
> >
> > Hope this helps! Have a nice day!
> >
> > Thanks & Regards
> > Alan Sun
> > Microsoft Online Partner Support
> >
> > Get Secure! - www.microsoft.com/security
> > =====================================================
> > When responding to posts, please "Reply to Group" via your
> newsreader so
> > that others may learn and benefit from your issue.
> > =====================================================
> >
> > This posting is provided "AS IS" with no warranties, and
confers no
> rights.
> >
> >
> >
> > --------------------
> > |From: "Philip Amos"
> > |Subject: Exchange 2000 & Administrator Rights
> > |Date: Thu, 6 May 2004 16:27:31 +0100
> >
> >
>
>
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
> > phx.gbl
> > |Xref: cpmsftngxa10.phx.gbl
> > microsoft.public.exchange2000.general:55170
> > microsoft.public.exchange2000.setup.installation:31630
> >
microsoft.public.exchange2000.active.directory.integration:16284
> > |X-Tomcat-NG: microsoft.public.exchange2000.general
> > |
> > |Can anybody please tell me why a user which has been
delegated
> the
> > Exchange
> > |Full Administrator right still needs to be a member of
the
> local
> > machines
> > |Administrator group??
> > |
> > |What I would idealy like to do if specifically grant
rights
> over the
> > |necessary objects withing the directory\file
system\registry
> etc to
> my
> > |Exchange administrators and not have them as members of
the
> > Administrators
> > |group. The reason for this is that Exchange 2000 is
installed
> on
> some
> > |Domain Controllers and the local Administrators group
is the
> one in
> > the
> > |Domain which then grants people rights over other stuff
that
I
> do
> not
> > want
> > |them to have access to.
> > |
> > |The problem is that I have been unable to find any
documents
> either
> in
> > |TechNet or on the web which explain what rights a
member of
the
> local
> > |Administrators group gets over Exchange which make
membership
> of
> this
> > group
> > |necessary and would appreciate it if somebody can tell
me
what
> rights
> > I need
> > |to grant.
> > |
> > |Thank you
> > |Philip Amos
> > |
> > |
> > |
> >
>
>
>
> |
|
| Back to top |
|
|
Alan Sun [MSFT]
Joined: 05 Aug 2007
Posts: 10
|
| Posted: Fri May 14, 2004 2:27 pm Post subject: Re: Exchange 2000 & Administrator Rights |
|
|
Hi Philip,
Is the information helpful for you?
Please drop me a note so that we can assist you further.
Enjoy your day!
Thanks & Regards
Alan Sun
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
|X-Tomcat-ID: 261411965
|References:
|MIME-Version: 1.0
|Content-Type: text/plain
|Content-Transfer-Encoding: 7bit
|From: v-asun@online.microsoft.com (Alan Sun [MSFT])
|Organization: Microsoft
|Date: Wed, 12 May 2004 08:43:16 GMT
|Subject: Re: Exchange 2000 & Administrator Rights
|X-Tomcat-NG: microsoft.public.exchange2000.general
|Message-ID:
|Newsgroups: microsoft.public.exchange2000.general
|Lines: 206
|Path: cpmsftngxa10.phx.gbl
|Xref: cpmsftngxa10.phx.gbl microsoft.public.exchange2000.general:55374
|NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
|
|Hi Philip,
|
|Thanks for your posting back.
|
|To completely administrator the Exchange server, the Full Exchange
|Administrator should have the full permissions to the folders and
files on
|the server which Exchange is installed on. Therefore, the Full
Exchange
|Administrator should be a member of local administrator. This
behavior is
|by design.
|
|If anything is unclear, please post back to let me know.
|
|Thanks & Regards
|Alan Sun
|Microsoft Online Partner Support
|
|Get Secure! - www.microsoft.com/security
|=====================================================
|When responding to posts, please "Reply to Group" via your newsreader
so
|that others may learn and benefit from your issue.
|=====================================================
|
|This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|
|
|--------------------
| From: "Philip Amos"
| References:
|
|
|
| Subject: Re: Exchange 2000 & Administrator Rights
| Date: Tue, 11 May 2004 10:50:46 +0100
| Lines: 167
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID:
| Newsgroups: microsoft.public.exchange2000.general
| NNTP-Posting-Host: 193.82.89.222
| Path:
|cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP
0
|8.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: cpmsftngxa10.phx.gbl
microsoft.public.exchange2000.general:55320
| X-Tomcat-NG: microsoft.public.exchange2000.general
|
| This is my point exactly but I want to know why they need to be
an
| Administrator. I though the whole point of AD was that you can
|delegate
| rights on a more granular level and I want to know what rights
being a
| member of the Administrators group gives the user in regards to
|Exchange
| 2000. Then when I know which rights are necessary I can
delegate only
|these
| rights and the users won't need to be a member of teh
Administrators
|group.
|
|
| "Alan Sun [MSFT]" wrote in message
| @cpmsftngxa10.phx.gbl...
| > Hi Philip,
| >
| > Thanks for your posting back.
| >
| > To delegate a user the Exchange Full Administrator permission,
the
|user
| > must be a member of the local administrator group. If the
Exchange is
| > installed on a DC, the user needs to be added to the domain
|Administrators
| > group. This behavior is by design.
| >
| > Otherwise, you will receive the similar messages as the
follows:
| >
| > "To fully administer an Exchange server, the delegated user or
group
|must
| > also be a member of the local machine administrator group."
| >
| > If anything is unclear, feel free to let me know. Have a nice
day!
| >
| > Thanks & Regards
| > Alan Sun
| > Microsoft Online Partner Support
| >
|
| >
| > --------------------
| > From: "Philip Amos"
| >
| > I cannot see why the user needs to be a member of the
local
| > Administrators
| > group and I cannot simply grant some permissions\user
rights
|etc to
| the
| > relavent places in the Directory or File System, after
all
|being a
| > member of
| > the Administrators group basically just gives you a bunch
of
| > pre-defined
| > rights and permissions.
| >
| > The document you talk about is very good at explaining
what
|rights
| you
| > get
| > in Exchange when you delegare a role but it does not talk
about
|the
| > rights
| > outside of Exchange.
| >
| >
| > "Alan Sun [MSFT]" wrote in
message
| > > Hi Philip,
| > >
| > > Thanks for your posting here.
| > >
| > > Based on my knowledge, in order to be an Exchange Full
| Administrator
| > or
| > > Exchange Administrator (who both have read/write access
to
|objects)
| > on an
| > > organization or administrative group, a user must be a
local
| machine
| > > administrator for each Exchange Server he or she needs
to
|manage.
| > > Therefore, the Full Exchange Administration should be a
|member of
| > local
| > > administrator. This behavior is by design.
| > >
| > > For more information, please to the following articles:
| > > 289811 XGEN: Exchange 2000 Role Permissions
| > > http://support.microsoft.com/?id=289811
| > >
| > > Hope this helps! Have a nice day!
| > >
| > > Thanks & Regards
| > > Alan Sun
| > > Microsoft Online Partner Support
| > >
| > > Get Secure! - www.microsoft.com/security
| > > =====================================================
| > > When responding to posts, please "Reply to Group" via
your
| > newsreader so
| > > that others may learn and benefit from your issue.
| > > =====================================================
| > >
| > > This posting is provided "AS IS" with no warranties,
and
|confers no
| > rights.
| > >
| > >
| > >
| > > --------------------
| > > |From: "Philip Amos"
| > > |Subject: Exchange 2000 & Administrator Rights
| > > |Date: Thu, 6 May 2004 16:27:31 +0100
| > >
|
| > >
| >
| >
|
|cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP0
9
| > > phx.gbl
| > > |Xref: cpmsftngxa10.phx.gbl
| > > microsoft.public.exchange2000.general:55170
| > > microsoft.public.exchange2000.setup.installation:31630
| > >
|microsoft.public.exchange2000.active.directory.integration:16284
| > > |X-Tomcat-NG: microsoft.public.exchange2000.general
| > > |
| > > |Can anybody please tell me why a user which has
been
| delegated
| > the
| > > Exchange
| > > |Full Administrator right still needs to be a
member of
|the
| > local
| > > machines
| > > |Administrator group??
| > > |
| > > |What I would idealy like to do if specifically
grant
|rights
| > over the
| > > |necessary objects withing the directory\file
|system\registry
| > etc to
| > my
| > > |Exchange administrators and not have them as
members of
|the
| > > Administrators
| > > |group. The reason for this is that Exchange 2000
is
| installed
| > on
| > some
| > > |Domain Controllers and the local Administrators
group
|is the
| > one in
| > > the
| > > |Domain which then grants people rights over other
stuff
|that
| I
| > do
| > not
| > > want
| > > |them to have access to.
| > > |
| > > |The problem is that I have been unable to find
any
|documents
| > either
| > in
| > > |TechNet or on the web which explain what rights a
|member of
| the
| > local
| > > |Administrators group gets over Exchange which
make
|membership
| > of
| > this
| > > group
| > > |necessary and would appreciate it if somebody can
tell
|me
| what
| > rights
| > > I need
| > > |to grant.
| > > |
| > > |Thank you
| > > |Philip Amos
| > > |
| > > |
| > > |
| > >
| >
| >
| >
| >
|
|
|
|
| |
|
| Back to top |
|
|
Philip Amos
Joined: 06 Aug 2007
Posts: 5
|
| Posted: Mon May 17, 2004 6:57 pm Post subject: Re: Exchange 2000 & Administrator Rights |
|
|
Thank you for this but again I cannot beleive that you need full rights over
all the folders & files but only the Exchange files and possibly some
Windows files but I would like to specifically know which Folder, Registry
Keys etc that they need rights over as some stuff on the server has nothing
to do with Exchange and as a result do not need rights.
"Alan Sun [MSFT]" wrote in message$NEHA.308@cpmsftngxa10.phx.gbl...
> Hi Philip,
>
> Thanks for your posting back.
>
> To completely administrator the Exchange server, the Full Exchange
> Administrator should have the full permissions to the folders and files on
> the server which Exchange is installed on. Therefore, the Full Exchange
> Administrator should be a member of local administrator. This behavior is
> by design.
>
> If anything is unclear, please post back to let me know.
>
> Thanks & Regards
> Alan Sun
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
>
> --------------------
> From: "Philip Amos"
> References:
>
>
>
> Subject: Re: Exchange 2000 & Administrator Rights
> Date: Tue, 11 May 2004 10:50:46 +0100
> Lines: 167
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> Message-ID:
> Newsgroups: microsoft.public.exchange2000.general
> NNTP-Posting-Host: 193.82.89.222
> Path:
>
cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP0
> 8.phx.gbl!TK2MSFTNGP09.phx.gbl
> Xref: cpmsftngxa10.phx.gbl
microsoft.public.exchange2000.general:55320
> X-Tomcat-NG: microsoft.public.exchange2000.general
>
> This is my point exactly but I want to know why they need to be an
> Administrator. I though the whole point of AD was that you can
> delegate
> rights on a more granular level and I want to know what rights being
a
> member of the Administrators group gives the user in regards to
> Exchange
> 2000. Then when I know which rights are necessary I can delegate
only
> these
> rights and the users won't need to be a member of teh Administrators
> group.
>
>
> "Alan Sun [MSFT]" wrote in message
> @cpmsftngxa10.phx.gbl...
> > Hi Philip,
> >
> > Thanks for your posting back.
> >
> > To delegate a user the Exchange Full Administrator permission, the
> user
> > must be a member of the local administrator group. If the Exchange
is
> > installed on a DC, the user needs to be added to the domain
> Administrators
> > group. This behavior is by design.
> >
> > Otherwise, you will receive the similar messages as the follows:
> >
> > "To fully administer an Exchange server, the delegated user or
group
> must
> > also be a member of the local machine administrator group."
> >
> > If anything is unclear, feel free to let me know. Have a nice day!
> >
> > Thanks & Regards
> > Alan Sun
> > Microsoft Online Partner Support
> >
>
> >
> > --------------------
> > From: "Philip Amos"
> >
> > I cannot see why the user needs to be a member of the local
> > Administrators
> > group and I cannot simply grant some permissions\user rights
> etc to
> the
> > relavent places in the Directory or File System, after all
> being a
> > member of
> > the Administrators group basically just gives you a bunch of
> > pre-defined
> > rights and permissions.
> >
> > The document you talk about is very good at explaining what
> rights
> you
> > get
> > in Exchange when you delegare a role but it does not talk
about
> the
> > rights
> > outside of Exchange.
> >
> >
> > "Alan Sun [MSFT]" wrote in
message
> > > Hi Philip,
> > >
> > > Thanks for your posting here.
> > >
> > > Based on my knowledge, in order to be an Exchange Full
> Administrator
> > or
> > > Exchange Administrator (who both have read/write access to
> objects)
> > on an
> > > organization or administrative group, a user must be a local
> machine
> > > administrator for each Exchange Server he or she needs to
> manage.
> > > Therefore, the Full Exchange Administration should be a
> member of
> > local
> > > administrator. This behavior is by design.
> > >
> > > For more information, please to the following articles:
> > > 289811 XGEN: Exchange 2000 Role Permissions
> > > http://support.microsoft.com/?id=289811
> > >
> > > Hope this helps! Have a nice day!
> > >
> > > Thanks & Regards
> > > Alan Sun
> > > Microsoft Online Partner Support
> > >
> > > Get Secure! - www.microsoft.com/security
> > > =====================================================
> > > When responding to posts, please "Reply to Group" via your
> > newsreader so
> > > that others may learn and benefit from your issue.
> > > =====================================================
> > >
> > > This posting is provided "AS IS" with no warranties, and
> confers no
> > rights.
> > >
> > >
> > >
> > > --------------------
> > > |From: "Philip Amos"
> > > |Subject: Exchange 2000 & Administrator Rights
> > > |Date: Thu, 6 May 2004 16:27:31 +0100
> > >
>
> > >
> >
> >
>
>
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
> > > phx.gbl
> > > |Xref: cpmsftngxa10.phx.gbl
> > > microsoft.public.exchange2000.general:55170
> > > microsoft.public.exchange2000.setup.installation:31630
> > >
> microsoft.public.exchange2000.active.directory.integration:16284
> > > |X-Tomcat-NG: microsoft.public.exchange2000.general
> > > |
> > > |Can anybody please tell me why a user which has been
> delegated
> > the
> > > Exchange
> > > |Full Administrator right still needs to be a member of
> the
> > local
> > > machines
> > > |Administrator group??
> > > |
> > > |What I would idealy like to do if specifically grant
> rights
> > over the
> > > |necessary objects withing the directory\file
> system\registry
> > etc to
> > my
> > > |Exchange administrators and not have them as members
of
> the
> > > Administrators
> > > |group. The reason for this is that Exchange 2000 is
> installed
> > on
> > some
> > > |Domain Controllers and the local Administrators group
> is the
> > one in
> > > the
> > > |Domain which then grants people rights over other
stuff
> that
> I
> > do
> > not
> > > want
> > > |them to have access to.
> > > |
> > > |The problem is that I have been unable to find any
> documents
> > either
> > in
> > > |TechNet or on the web which explain what rights a
> member of
> the
> > local
> > > |Administrators group gets over Exchange which make
> membership
> > of
> > this
> > > group
> > > |necessary and would appreciate it if somebody can tell
> me
> what
> > rights
> > > I need
> > > |to grant.
> > > |
> > > |Thank you
> > > |Philip Amos
> > > |
> > > |
> > > |
> > >
> >
> >
> >
> >
>
>
>
> |
|
| Back to top |
|
|
Alan Sun [MSFT]
Joined: 05 Aug 2007
Posts: 10
|
| Posted: Tue May 18, 2004 1:50 pm Post subject: Re: Exchange 2000 & Administrator Rights |
|
|
Hi Philip,
Thanks for your posting back.
As the Full Exchange Administrator needs to configure Exchange server, the
account need to have administrator permission on multiple folders including
Exchange folder and system folder and Registry. It is complex and
impossible to manually grantee these permissions on proper folders and
Registry Keys. For this reason, the Full Exchange Administrator role should
to the number of local administrator. This behavior is by design.
Have a nice day!
Thanks & Regards
Alan Sun
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights. |
|
| Back to top |
|
|
Alan Sun [MSFT]
Joined: 05 Aug 2007
Posts: 10
|
| Posted: Fri May 07, 2004 11:43 am Post subject: RE: Exchange 2000 & Administrator Rights |
|
|
Hi Philip,
I notice this issue is duplicated with your another thread. I reply in your
original thread. If you need further help, please reply in the original
one. For you convenience, I have pasted my reply as follows.
Thanks & Regards
Alan Sun
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++
Hi Philip,
Thanks for your posting here.
Based on my knowledge, in order to be an Exchange Full Administrator or
Exchange Administrator (who both have read/write access to objects) on an
organization or administrative group, a user must be a local machine
administrator for each Exchange Server he or she needs to manage.
Therefore, the Full Exchange Administration should be a member of local
administrator. This behavior is by design.
For more information, please to the following articles:
289811 XGEN: Exchange 2000 Role Permissions
http://support.microsoft.com/?id=289811
Hope this helps! Have a nice day!
Thanks & Regards
Alan Sun
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
|From: "Philip Amos"
|Subject: Exchange 2000 & Administrator Rights
|Date: Thu, 6 May 2004 16:27:31 +0100
|Lines: 22
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
|Message-ID:
|Newsgroups:
microsoft.public.exchange2000.active.directory.integration,microsoft.public.
exchange2000.general,microsoft.public.exchange2000.setup.installation
|NNTP-Posting-Host: 193.82.89.222
|Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
phx.gbl
|Xref: cpmsftngxa10.phx.gbl
microsoft.public.exchange2000.general:55170
microsoft.public.exchange2000.setup.installation:31630
microsoft.public.exchange2000.active.directory.integration:16284
|X-Tomcat-NG: microsoft.public.exchange2000.setup.installation
|
|Can anybody please tell me why a user which has been delegated the
Exchange
|Full Administrator right still needs to be a member of the local
machines
|Administrator group??
|
|What I would idealy like to do if specifically grant rights over the
|necessary objects withing the directory\file system\registry etc to my
|Exchange administrators and not have them as members of the
Administrators
|group. The reason for this is that Exchange 2000 is installed on some
|Domain Controllers and the local Administrators group is the one in
the
|Domain which then grants people rights over other stuff that I do not
want
|them to have access to.
|
|The problem is that I have been unable to find any documents either in
|TechNet or on the web which explain what rights a member of the local
|Administrators group gets over Exchange which make membership of this
group
|necessary and would appreciate it if somebody can tell me what rights
I need
|to grant.
|
|Thank you
|Philip Amos
|
|
|
|
|
| Back to top |
|
|
|
|
| Related Topics: | X.400 and Exchange 2000 Dear experts, I continue to have a problem in a Mixed mode Exch 5.5 and Exch 2000 sending a message to a user with no SMTP address, just X.400. The message is rejected. Here is the Scenario: W2K Forest with 3 domains. All domains are conected with the R
AD Exchange 2000 System drive space issue Hi all, thanks for the info.. We have an Exchange 2k sp3, Win2k sp4, AD server. After installing SP4 on it I had a lot of problems, 2000 pro clients couldn't log into the network, NtFrs event log errors etc. After a pulling out hairs, I figured out that
I Need Help for Windows Small Business Server 2000 I need help on tuning my 2000 server. I have different clients wich could be Outlook express or outlook 2000 or outlook 2002 or an other POP3 client The server is connected to Internet trough a 56k modem and a standard PSTN line. I have a registered domai
VB Script to add Exchange Contacts to an AD Group I have a script that creates Exchange contacts in AD. I need to add them to groups as well. Can someone please tell me how to do this? I can add users to groups with no problem, but I haven't found a way to reference a contact that lets me add it to a gro
Demoting DC Windows 2000 living in a Exchange 2000 machine Hi all, I need to demote a windows 2000 dc from an exchange 2000 server machine (where they live togheter). It still exist another dc that own all five master operation roles. Is this operation dangerous? I'm reading this in some web site. Kind regards Da |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
