3.9. Checking Which Account or Group Has Been Assigned Permissions During ForestPrep
Problem
Exchange ForestPrep was run at the time that the AD forest was first implemented and you now need to know which account or group has been granted Exchange Full Administrator permissions.
Solution
Using graphical user interface
Open ADSI Edit (ADSIEdit.msc)
Browse to the Exchange Organization container object:
CN=<
orgName>, CN=Microsoft Exchange,CN=Services,CN=Configuration, <ForestDN>Note that if Exchange Server 2003 ForestPrep (as opposed to Exchange 2000) has been run, you may see a GUID here instead of a friendly name. For example:
CN={335A1087-5131-4D45-BE3E-3C6C7F76F5EC},CN=Microsoft Exchange, CN=Services,CN=Configuration,DC=company,DC=comRight-click on the organization object and select Properties.
Click the Security tab, then click the Advanced button. Look for an account or group that has the permissions shown in Table 3-1.
Table 3-1. Permissions granted by forestprep
Type | Permission | Inherited from | Apply to |
|---|---|---|---|
Deny | Receive As | <not inherited> | This object and all child objects |
Deny | Send As | <not inherited> | This object and all child objects |
Allow | Full Control | | This object and all child objects |
Using a command-line interface
Find the Exchange organization name using the following command:
> dsquery * forestroot "CN=Microsoft Exchange,CN=Services,CN=Configuration,
<ForestDN>" -scope subtree -filter "(objectclass=msExchOrganizationContainer)"For example, ...