Home

Do Exchange administrators have to be system administrators on Exchange servers?

%3CLINGO-SUB%20id%3D%22lingo-sub-771343%22%20slang%3D%22en-US%22%3EDo%20Exchange%20administrators%20have%20to%20be%20system%20administrators%20on%20Exchange%20servers%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771343%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20asked%20this%20question%20before%20on%20TechNet%20(%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fde-DE%2Fa48fa3a9-df42-43ca-bc4f-24035853dd64%2Fsystem-administrator-rights%3Fforum%3DExch2016GD%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fde-DE%2Fa48fa3a9-df42-43ca-bc4f-24035853dd64%2Fsystem-administrator-rights%3Fforum%3DExch2016GD%3C%2FA%3E).%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EAfter%20some%20confusing%20mentions%20of%20domain%20admins%2C%20the%20consensus%20appeared%20to%20be%20that%20no%2C%20Exchange%20administrators%20do%20not%20have%20to%20be%20system%20administrators%2C%20but%20nobody%20knows%20how%20it%20is%20supposed%20to%20work.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20problem%20is%20that%20there%20are%20several%20directories%20on%20Exchange%20servers%20which%20Exchange%20admins%20apparently%20need%20to%20access%20on%20a%20regular%20basis%20that%20the%20installer%20nevertheless%20configured%20with%20ACLs%20with%20access%20for%20sys%20admins%20only.%3CBR%20%2F%3E%3CBR%20%2F%3EOur%20Exchange%20team%20in-house%20tells%20me%20that%20ACLs%20on%20those%20directories%20cannot%20be%20changed%20because%20Microsoft%20does%20not%20support%20Exchange%20installations%20where%20those%20ACLs%20have%20been%20changed.%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20anybody%20confirm%20whether%20Exchange%20admins%20have%20to%20be%20sys%20admins%20(and%20how%20this%20squares%20with%20RBAC%20guidelines)%20or%20how%20this%20is%20supposed%20to%20work%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20is%20apparently%20not%20a%20question%20that%20comes%20up%20a%20lot.%20Are%20Exchange%20admins%20usually%20sys%20admins%3F%20How%20do%20other%20companies%20handle%20this%3F%20Are%20all%20admins%20of%20all%20applications%20always%20sys%20admins%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-771343%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERBAC%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-771466%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20Exchange%20administrators%20have%20to%20be%20system%20administrators%20on%20Exchange%20servers%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771466%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F381248%22%20target%3D%22_blank%22%3E%40ajbrehm%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20we%20talk%20about%20Split%20permission%20model%20in%20AD%20(when%20installing%20Exchange)%20an%20Exchange%20Admin%20need%20not%20be%20a%20System%20Administrator%2C%20because%20in%20large%20scale%20industries%20wherein%20you%20have%20dedicated%20professionals%20to%20do%20the%20Work%20on%20AD%20and%20similarly%20on%20Exchange%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20your%20case%20when%20ACL's%20are%20concerned%2C%20Yes%20-%20Microsoft%20doesn't%20support%20modified%20ACL's%20during%20Installation.%20but%20it%20is%20always%20recommended%20to%20split%20inter%20Permissions%20between%20Exchange%20Regular%20work%2C%20like%20messaging%2FCore%20mailflow%20administration%2C%20and%20Database%20activities%2C%20etc%2C%20versus%20the%20Regular%20Server%20maintenance%20work%20%2C%20like%20Patching%20and%20other%20updation%20etc%20which%20is%20more%20or%20less%20related%20to%20a%20System%20Admin%20work%20which%20would%20go%20to%20AD%20Folks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20Default%20while%20installation%20%2C%20Organization%20Management%20Role%20Group%20becomes%20a%20Local%20Admin%20on%20the%20dedicated%20Exchange%20Servers%20in%20your%20Directory%20and%20no%20separate%20Local%20System%20permissions%20are%20needed%20on%20the%20Servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%20!%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-771517%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20Exchange%20administrators%20have%20to%20be%20system%20administrators%20on%20Exchange%20servers%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771517%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156230%22%20target%3D%22_blank%22%3E%40ankit%20shukla%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSPAN%3EIn%20your%20case%20when%20ACL's%20are%20concerned%2C%20Yes%20-%20Microsoft%20doesn't%20support%20modified%20ACL's%20during%20Installation.%20%3C%2FSPAN%3E%22%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20does%20that%20mean%3F%20Who%20would%20modify%20ACLs%20during%20installation%3F%20The%20issue%20is%20that%20there%20are%20files%20that%20Exchange%20admins%20apparently%20need%20access%20to%20which%20they%20cannot%20access%20since%20the%20ACLs%20the%20installer%20sets%20exclude%20any%20Exchange%20groups.%20Do%20Microsoft%20support%20changing%20the%20ACLs%20after%20installation%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-771573%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20Exchange%20administrators%20have%20to%20be%20system%20administrators%20on%20Exchange%20servers%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771573%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F381248%22%20target%3D%22_blank%22%3E%40ajbrehm%3C%2FA%3E%26nbsp%3B%20Yes%20you%20can%20modify%20the%20ACL's%20for%20your%20specific%20need%20when%20Exchange%20Admin%20need%20to%20access%20something%20beyond%20there%20access%20placed%20on%20an%20Exchange%20Server.%20But%20i%20do%20believe%20as%20i%20said%20earlier%2C%20Exchange%20Admin%20Role%20Group%20(Org%20Mgmt)%20would%20give%20them%20Admin%20access%20on%20the%20Server%2C%20but%20it%20may%20vary%20with%20AD%20Split%20Permissions%20model%20in%20large%20scale%20organizations.%20And%20Yes%2C%20Microsoft%20will%20support%20the%20modified%20ACL's%20even%20after%20installation%20too.%20Sorry%20for%20the%20type%20in%20earlier%20post%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%20!%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-771914%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20Exchange%20administrators%20have%20to%20be%20system%20administrators%20on%20Exchange%20servers%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771914%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156230%22%20target%3D%22_blank%22%3E%40ankit%20shukla%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much!%20Can%20you%20point%20to%20an%20official%20Microsoft%20document%20that%20specifies%20that%20Exchange%20with%20modified%20ACLs%20is%20supported%20by%20Microsoft%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
ajbrehm
New Contributor

Hello,

 

I asked this question before on TechNet (https://social.technet.microsoft.com/Forums/de-DE/a48fa3a9-df42-43ca-bc4f-24035853dd64/system-admini...).


After some confusing mentions of domain admins, the consensus appeared to be that no, Exchange administrators do not have to be system administrators, but nobody knows how it is supposed to work.

The problem is that there are several directories on Exchange servers which Exchange admins apparently need to access on a regular basis that the installer nevertheless configured with ACLs with access for sys admins only.

Our Exchange team in-house tells me that ACLs on those directories cannot be changed because Microsoft does not support Exchange installations where those ACLs have been changed.

Can anybody confirm whether Exchange admins have to be sys admins (and how this squares with RBAC guidelines) or how this is supposed to work?

It is apparently not a question that comes up a lot. Are Exchange admins usually sys admins? How do other companies handle this? Are all admins of all applications always sys admins?

4 Replies

@ajbrehm 

When we talk about Split permission model in AD (when installing Exchange) an Exchange Admin need not be a System Administrator, because in large scale industries wherein you have dedicated professionals to do the Work on AD and similarly on Exchange too.

 

In your case when ACL's are concerned, Yes - Microsoft doesn't support modified ACL's during Installation. but it is always recommended to split inter Permissions between Exchange Regular work, like messaging/Core mailflow administration, and Database activities, etc, versus the Regular Server maintenance work , like Patching and other updation etc which is more or less related to a System Admin work which would go to AD Folks.

 

By Default while installation , Organization Management Role Group becomes a Local Admin on the dedicated Exchange Servers in your Directory and no separate Local System permissions are needed on the Servers.

 

Cheers !

Ankit Shukla

 

 

@ankit shukla 

"In your case when ACL's are concerned, Yes - Microsoft doesn't support modified ACL's during Installation. "

What does that mean? Who would modify ACLs during installation? The issue is that there are files that Exchange admins apparently need access to which they cannot access since the ACLs the installer sets exclude any Exchange groups. Do Microsoft support changing the ACLs after installation?

@ajbrehm  Yes you can modify the ACL's for your specific need when Exchange Admin need to access something beyond there access placed on an Exchange Server. But i do believe as i said earlier, Exchange Admin Role Group (Org Mgmt) would give them Admin access on the Server, but it may vary with AD Split Permissions model in large scale organizations. And Yes, Microsoft will support the modified ACL's even after installation too. Sorry for the type in earlier post 

 

Cheers !

Ankit Shukla

 

@ankit shukla 

Thank you very much! Can you point to an official Microsoft document that specifies that Exchange with modified ACLs is supported by Microsoft?

 

 

Related Conversations