On an Exchange 2019 server, I noticed inherited permissions that were deliberately not set in this way. I suspect that these are standard permissions that are set when Exchange servers are installed. In this case, an account that was used for installation has quite extensive permissions at mailbox and database level. This was noticed during routine maintenance work:
These are the same rights that are automatically configured for the "Administrator" account. However, just because the installation was carried out with the selected account, I do not want this account to retain so many authorizations. Especially if the account is deleted, SID corpses would remain in this case.
I initially thought that these permissions would be inherited from the database to the mailboxes, but the permissions are inherited much earlier to the databases and mailboxes.
One of the authorizations is inherited via the "Microsoft Exchange" container in the Active Directory configuration partition. This can be removed using ADSI Edit:
The second authorization is inherited via the Exchange Organization container:
This authorization can also be removed using ADSI Edit. If the account is to retain the permissions, but you still want to bring a little more order here, the account can be added to the "Exchange Organization Administrators" group. This group has the same permissions as the individual account.
After removing the two entries via ADSI Edit, the authorization at mailbox and database level looks clean again:
Berechtigungen werden auch von „Administrative Groups / Exchange Adrministrative… / Databases“ vererbt.
Danke für den Beitrag. Konnte ich auf unserer Exchange 2016 Installation ebenfalls exakt so nachvollziehen.
Guter Hinweis. Auch beliebt sind irgendwelche Rudimente aus Blackberry Zeiten, die sich dann auf DB Ebene (wie oben erwähnt), aber auch auf Org-Ebene befinden.
Im Bild für die zweite Berechtigung hast du glaube ich übersehen einen Bereich zu blurren(Titel des Berechtigungsfensters).