cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exchange/Active Directory split permission experience

Arne Tiedemann
Copper Contributor

‎Jul 12 2018 03:15 AM - edited ‎Jul 12 2018 05:10 AM

‎Jul 12 2018 03:15 AM - edited ‎Jul 12 2018 05:10 AM

Exchange/Active Directory split permission experience

Hello @All, I have a question about Exchange Server Split permission model for active directory. Overview: 

http://technet.microsoft.com/en-us/library/dd638106%28v=exchg.150%29.aspx?f=255&MSPPError=-214721739...

 

After you enable Active Directory split permissions, the following cmdlets are no longer available:

New-Mailbox

New-MailContact

New-MailUser

New-RemoteMailbox

Remove-Mailbox

Remove-MailContact

Remove-MailUser

Remove-RemoteMailbox

 

After you enable Active Directory split permissions, the following cmdlets are accessible but you cannot use them to create distribution groups or modify distribution group membership:

Add-DistributionGroupMember

New-DistributionGroup

Remove-DistributionGroup

Remove-DistributionGroupMember

Update-DistributionGroupMember

 

I'm a consultant and my job is to help customers to migrate there exchange environment to the new exchange versions or to exchange online, but today we have to take care about security! When exchange is installed without split permission, the Exchange Trusted Subsystem group have very high active directory rights (like a domain admin).

Normaly we have to ecommend to enable active directory split permission, but I can not assess the impact. Does anyone have these expirience and can inform me about the impact?

 

Thanks Arne

Labels:
7,423 Views
0 Likes
4 Replies
Reply
4 Replies
Thomas Stensitzki

‎Jul 17 2018 11:36 PM

‎Jul 17 2018 11:36 PM

Re: Exchange/Active Directory split permission experience

Arne,

the impact is mostly about the process of managing Active Directory accounts and Exchange related attributes. In a split permission model accounts for user mailboxes, shared mailboxes, etc. are managed by the Active Directory team. Creating and deleting accounts is in the responsibility of the AD-Team.

The Exchange related attributes are still handled by the Exchange Trusted Subsystem. Enabling mailbox functionality is in the responsibility of the Exchange Team.

Cheers,
Thomas

1 Like
Reply
Arne Tiedemann

‎Jul 18 2018 03:13 AM

‎Jul 18 2018 03:13 AM

Re: Exchange/Active Directory split permission experience

Hi Thomas,
thanks for this answer.
I know these limitations but I want to know site effects like idm systems cannot create new mailboxes in one way with New-Mailbox. They have to do:

New-ADUser -Name …
and
Enable-Mailbox

At this time I have only one small customer with split permission and I want to know the things that are not working after we switch to split permission.

Does you have customers with enabled split permissions?
Thanks a lot Thomas for your reply.
Arne
0 Likes
Reply
Thomas Stensitzki

‎Jul 18 2018 03:41 AM

‎Jul 18 2018 03:41 AM

Re: Exchange/Active Directory split permission experience

Hi Arne,

Currently none of my clients use a split permissions approach.

In regards to IDM solutions:

The way an IDM creates and manages depends identities depends on the solution itself. Some use direct API calls to modify  object attributes, some use a scripting approach. If a split permission is in use, you might end up using two different service accounts for each group of tasks. But in this case, what's the usefulness of split permission, when a single solution is being used in the background?

I recommend workflow based solutions to automate identity and account management and used restricted access groups to pre-configured tasks. In that case the access and all actions are part of a single solution audit log.

I think that a split permission approach is useful in a widely distributed infrastructure across regions, where AD is managed regionally and Exchange centrally.

 

-Thomas

2 Likes
Reply
Arne Tiedemann

‎Jul 18 2018 11:02 PM

‎Jul 18 2018 11:02 PM

Re: Exchange/Active Directory split permission experience

Good morning Thomas

yes you are right normally it is for a companies with locations around the world.

We are looking to this solution because the security and the rights from Exchange Trusted Subsystem.

In a normal installation of exchange the trusted subsystem has to many rights in active directory and as an exchange admin that has local admin rights on an exchange server he is of curse an domain admin, that is bad.

But when you enable Split permission exchange admins can't do more thing's as described like:

- Setting send-as or full access permission 

- You have trouble when you do cross forest migrations after split permission is active

- New-MailboxDatabase runs into an error

and so on...

 

My question was, does anyone have experience with split permission in small or large organisation's with split permission and can tell something about it.

 

Thanks Thomas and the community

Arne

0 Likes
Reply