It's the nature of an administrative account, and there's really no getting around it. In the unlikely event that the DOMAIN\Administrator user is explicitly defined as having permissions to each mailbox, you could use a PowerShell script to remove it, but you'd have the same problem - that user, and anyone with modify privileges on the Organization Management group can trivially add that user, or any other, back into it.īottom line, administrators have (or can easily give themselves) permissions to do whatever they want. You could, of course, remove DOMAIN\Administrator from that group, but anyone with modify privileges on that group (like domain admins) can trivially add that user, or any other, back into it. This is basically the group in Exchange that is like the Domain Admins group in Active Directory - members have administrative privileges in Exchange, which includes the ability to log into any mailbox (by default). By default, members of this role group can't perform mailbox searches and management of unscoped top-level management roles. This role group shouldn't be deleted.Īdministrators who are members of the Organization Management role group have administrative access to the entire Exchange 2013 organization and can perform almost any task against any Exchange 2013 object, with some exceptions. Members can also delegate role groups and management roles in the organization. ![]() Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. This is probably a result of DOMAIN\Administrator being a member of the Organization Management group.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |