Forum Discussion
Exchange/Active Directory split permission experience
Hello @All, I have a question about Exchange Server Split permission model for active directory. Overview: http://technet.microsoft.com/en-us/library/dd638106%28v=exchg.150%29.aspx?f=255&MSPPError=...
Hi Thomas,
thanks for this answer.
I know these limitations but I want to know site effects like idm systems cannot create new mailboxes in one way with New-Mailbox. They have to do:
New-ADUser -Name …
and
Enable-Mailbox
At this time I have only one small customer with split permission and I want to know the things that are not working after we switch to split permission.
Does you have customers with enabled split permissions?
Thanks a lot Thomas for your reply.
Arne
thanks for this answer.
I know these limitations but I want to know site effects like idm systems cannot create new mailboxes in one way with New-Mailbox. They have to do:
New-ADUser -Name …
and
Enable-Mailbox
At this time I have only one small customer with split permission and I want to know the things that are not working after we switch to split permission.
Does you have customers with enabled split permissions?
Thanks a lot Thomas for your reply.
Arne
Hi Arne,
Currently none of my clients use a split permissions approach.
In regards to IDM solutions:
The way an IDM creates and manages depends identities depends on the solution itself. Some use direct API calls to modify object attributes, some use a scripting approach. If a split permission is in use, you might end up using two different service accounts for each group of tasks. But in this case, what's the usefulness of split permission, when a single solution is being used in the background?
I recommend workflow based solutions to automate identity and account management and used restricted access groups to pre-configured tasks. In that case the access and all actions are part of a single solution audit log.
I think that a split permission approach is useful in a widely distributed infrastructure across regions, where AD is managed regionally and Exchange centrally.
-Thomas
Good morning Thomas
yes you are right normally it is for a companies with locations around the world.
We are looking to this solution because the security and the rights from Exchange Trusted Subsystem.
In a normal installation of exchange the trusted subsystem has to many rights in active directory and as an exchange admin that has local admin rights on an exchange server he is of curse an domain admin, that is bad.
But when you enable Split permission exchange admins can't do more thing's as described like:
- Setting send-as or full access permission
- You have trouble when you do cross forest migrations after split permission is active
- New-MailboxDatabase runs into an error
and so on...
My question was, does anyone have experience with split permission in small or large organisation's with split permission and can tell something about it.
Thanks Thomas and the community
Arne
