Forum Discussion
Arne Tiedemann
Jul 12, 2018Copper Contributor
Exchange/Active Directory split permission experience
Hello @All, I have a question about Exchange Server Split permission model for active directory. Overview:
After you enable Active Directory split permissions, the following cmdlets are no longer available:
New-Mailbox
New-MailContact
New-MailUser
New-RemoteMailbox
Remove-Mailbox
Remove-MailContact
Remove-MailUser
Remove-RemoteMailbox
After you enable Active Directory split permissions, the following cmdlets are accessible but you cannot use them to create distribution groups or modify distribution group membership:
Add-DistributionGroupMember
New-DistributionGroup
Remove-DistributionGroup
Remove-DistributionGroupMember
Update-DistributionGroupMember
I'm a consultant and my job is to help customers to migrate there exchange environment to the new exchange versions or to exchange online, but today we have to take care about security! When exchange is installed without split permission, the Exchange Trusted Subsystem group have very high active directory rights (like a domain admin).
Normaly we have to ecommend to enable active directory split permission, but I can not assess the impact. Does anyone have these expirience and can inform me about the impact?
Thanks Arne
Arne,
the impact is mostly about the process of managing Active Directory accounts and Exchange related attributes. In a split permission model accounts for user mailboxes, shared mailboxes, etc. are managed by the Active Directory team. Creating and deleting accounts is in the responsibility of the AD-Team.
The Exchange related attributes are still handled by the Exchange Trusted Subsystem. Enabling mailbox functionality is in the responsibility of the Exchange Team.
Cheers,
Thomas- Arne TiedemannCopper ContributorHi Thomas,
thanks for this answer.
I know these limitations but I want to know site effects like idm systems cannot create new mailboxes in one way with New-Mailbox. They have to do:
New-ADUser -Name …
and
Enable-Mailbox
At this time I have only one small customer with split permission and I want to know the things that are not working after we switch to split permission.
Does you have customers with enabled split permissions?
Thanks a lot Thomas for your reply.
ArneHi Arne,
Currently none of my clients use a split permissions approach.
In regards to IDM solutions:
The way an IDM creates and manages depends identities depends on the solution itself. Some use direct API calls to modify object attributes, some use a scripting approach. If a split permission is in use, you might end up using two different service accounts for each group of tasks. But in this case, what's the usefulness of split permission, when a single solution is being used in the background?
I recommend workflow based solutions to automate identity and account management and used restricted access groups to pre-configured tasks. In that case the access and all actions are part of a single solution audit log.
I think that a split permission approach is useful in a widely distributed infrastructure across regions, where AD is managed regionally and Exchange centrally.
-Thomas