Delegating administrator roles to an administrative group can grant the ability to create mailboxes in other administrative groups in an Exchange organization (883381)



The information in this article applies to:

  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange 2000 Server
  • Microsoft Exchange 2000 Enterprise Server

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

When you delegate the Exchange Administrator role or the Exchange Full Administrator role in Microsoft Exchange 2000 Server or in Microsoft Exchange Server 2003, the delegated user or group may be able to create a mailbox for any user in any administrative group in the Exchange organization.

Important To mailbox-enable a user account, the user or group that has the Exchange Administrator role or the Exchange Full Administrator role requires Write access to certain attributes on the target user account in the Active Directory directory service.

CAUSE

This behavior occurs when all the following conditions are true:
  • You assign the user or group the Exchange Administrator role or the Exchange Full Administrator role for an administrative group or for the Exchange organization.
  • The user or group that has the Exchange Administrator role or the Exchange Full Administrator role also has administrative permissions on user accounts in Active Directory. For more information about setting permissions on Active Directory objects, click the following article number to view the article in the Microsoft Knowledge Base:

    316792 Minimum permissions necessary to perform Exchange-related tasks

The Exchange Administration Delegation Wizard provides View Only access control permissions for all administrative groups in an Exchange organization by setting access control entries (ACEs) at the organization level. This may provide behavior that is not wanted for Exchange organizations that have several administrative groups.

WORKAROUND

Important We recommend this workaround for Exchange organizations that have a small number of administrative groups. For Exchange organizations with a larger number of administrative groups, this workaround may not be practical because each access control permission must be changed manually. Additionally, if you manually configure the access control permissions for many administrative groups, it may affect the performance of Exchange on the servers. This degradation of performance occurs because of the increase in ACEs that are added to the access control lists (ACLs) of the administrative group Active Directory object. As the number of ACEs increases, the size of an ACL for the object grows. This ACL information is stored in the DSAccess cache. The DSAccess cache has a 32 kilobyte (KB) limit. If the total size of an attribute for an Active Directory object is larger than 32,768 bytes, a reduction in server performance may occur because the Exchange DSAccess cache cannot store the attribute.

Note Exchange Server 2003 Service Pack 1 (SP1) includes an updated DSAccess cache that no longer has a 32-KB limit. This is because in Exchange Server 2003 SP1, the DSAccess component can chain one or more memory segments together.

Warning When you apply an explicit Deny on a permission, the explicit Deny takes precedence over an Allow that is inherited. This may cause access control behavior that is not wanted. Additionally, manual configuration of ACEs may cause the user account not to have access to certain objects in Active Directory. Use caution when you manually configure ACEs to make sure that any changes are fully tested.

To work around this behavior, deny Read, Execute, Read permissions, List contents, Read properties, and List object access control permissions on the administrative groups that you want to hide from the delegated local administrator who has account operator permissions. To do this, follow these steps.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Click Start, point to All Programs, point to Microsoft Exchange, and then click System Manager.

    Important To change the security on an administrative group object, you must turn on the display of the Security tab in Exchange System Administrator. To do this, follow these steps:
    1. Click Start, click Run, type regedit , and then click OK.
    2. Locate and then click the following registry subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin

    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type ShowSecurityPage, and then press ENTER.
    5. In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK.
    6. Quit Registry Editor.
  2. In the Exchange organization list in Exchange System Manager, right-click the administrative group that you want, and then click Properties.
  3. Click the Security tab.
  4. In the Group or user names list, click the group or the user name that you want.
  5. In the Deny column of the Permissions list, click to select the following check boxes, and then click OK:
    • Read
    • Execute
    • Read permissions
    • List contents
    • Read properties
    • List object
  6. Quit Exchange System Manager.

MORE INFORMATION

When you use the Exchange Administration Delegation Wizard to delegate an Exchange administrator role to an administrative group, the Exchange Administration Delegation Wizard adds Exchange View Only Administrator access control permissions for the user or group to the Exchange organization.

The access control permissions that are granted by using the Exchange Administration Delegation Wizard are then inherited by any administrative group in the Exchange organization. An Exchange administrator must have Read, Execute, Read permissions, List contents, Read properties, and List object permissions to provide administrative functionality. For an Exchange administrator to manage an administrative group, the permissions must not be removed.

For more information about delegated administration, see the "Best practices for delegating Active Directory administration" white paper. To obtain this white paper, visit the following Microsoft Web site: For more information about how to grant the Create Mailbox task to a user, click the following article number to view the article in the Microsoft Knowledge Base:

316792 Minimum permissions necessary to perform Exchange-related tasks

For more information about access control permissions and Exchange, click the following article number to view the article in the Microsoft Knowledge Base:

823018 Overview of Exchange administrative role permissions in Exchange 2003

For more information that is related to this behavior, click the following article numbers to view the articles in the Microsoft Knowledge Base:

312647 How to check and countercheck security-related information in Exchange System Manager in Exchange 2000 Server

813814 Exchange networking performance is very slow

246175 The role of DSAccess in Exchange 2000 Server


Modification Type:MajorLast Reviewed:12/14/2005
Keywords:kbtshoot KB883381 kbAudITPRO