mailbox-enabled "domain admin" user account objects

Discussion in 'Active Directory' started by Cary Shultz, Aug 20, 2009.

  1. Cary Shultz

    Cary Shultz Guest

    Good evening!

    Can someone please explain to *me* why it is a bad idea to have an account
    that is a member of Administrative-type groups (thinking "Domain Admins",
    "Enterprise Admins", "Schema Admins" and the like) mailbox-enabled?

    Thank you,

    Cary
     
    Cary Shultz, Aug 20, 2009
    #1
    1. Advertisements

  2. Briefly, if the account is compromised by an email-borne attack the
    attacker has not only complete control of the local machine but also
    of the entire infrastructure. It can install user accounts, rootkits,
    give or deny access to anything, etc.
     
    Rich Matheisen [MVP], Aug 20, 2009
    #2
    1. Advertisements


  3. Cary,


    If you do mailbox enable it, who will be checking the admin account's mail?
    Does that mean someone's going to be using it on a regular basis?

    The forest root administrator account has carte blanche in the forest. I
    would suggest to only use it for enterprise reasons, other than that, it's
    not needed for the most part.

    Create two accounts for any admins that are administering the domain, one a
    plain Domain User account that is mailbox enabled, and one that is part of a
    group that you've delegated in the domain, but not part of the domain
    administrators group, because that group is also EA. For the Exchange org's
    'postmaster account,' I would suggest creating an account just for that
    purpose, and not use the administrator account.

    Also, you can choose to divvy up the Exchange responsibilities, if required,
    but then again this depends on the company's policy. Some companies separate
    AD functions from Exchange functions, but it gets sticky trying to do cross
    tasks, such as AD admins creating mailboxes, and Exchange admins trying to
    move mailboxes. Believe me, it;s a pain in such orgs. I worked as an
    Exchange engineer for a company with 5000 mailbox, 18 Exchange servers, 7
    routing groups, 7 AD Sites, but no permissions in AD. When I had a mailbox
    move, I had to put in a ticket, .... etc. That's how some companies have it
    separated. Yet others combine AD and Messaging into one group.

    With separate groups, you would create a group and delegate the Exchange
    Enterprise Admin Role (if Ex 2003), and provide local admin rights on the Ex
    boxes, etc. If combined AD/Messaging, then add the account to a delegated AD
    group with FC in AD.

    Whatever the organization breakdown, basically it's a security precaution
    not to use the domain administrator account. Why use it on a regular basis?
    Only use it when required. Therefore, if no one's using it, why give the
    account a mailbox?

    There's more, and I'm sure others will add to it, but that's the jest of it.
    Protect the forest root domain administrator account, and you protect your
    org.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum to benefit from collaboration
    among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Aug 20, 2009
    #3
  4. If you are using e-mail on an elevated account then if there is any malware
    accidentally executed then it has complete access to your domain/forest.
    All of our domain admins within our forest have two accounts, a admin
    account w/o access to email and an account w/o any additional levels of
    authority.

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Aug 20, 2009
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.