I was just pointed to the blog of David Loder who’s pointing out that the Release Candidate of Exchange 2010 is changing the permissions enforced by AdminSDHolder to critical groups to allow Exchange Organizational Admins to change the group memberships of Enterprise Admins, Schema Admins, Domain Admins a.s.o.
OK, one of Microsoft Program Managers already responded, and I do agree that this is not a released product and pre-release versions are there for finding those bugs.
I’d just like to say:
@Ross: This is not that hard to fix:
- for existing OUs stamp it on their ACE (preferably top-level - if inheritance is blocked on lower levels check and point to an KB
- for new OUs change the defaultNtSecurityDescriptor of the OU-Class in the schema
- don't touch adminSdHolder ;)
The first one will make sure that existing OUs allow Exchange Admins to control Group memberships (actually I’d even like to discuss if this is necessary – usually group membership administration is not done in the same instance where groups are mail enabled – the first one would be a generic help-desk task, the second a Exchange-Admin task).
I’d also prefer – if OUs are touched – that if the organization decided to block security inheritance at one point that a new version of some software shouldn’t go beyond that point but respect the design but warn them about the consequences.
The second suggestion makes sure that new OUs will get the permissions by default when creating the OU.
The third suggestion makes me think about two things:
- is there no process for infrastructure critical changes as changing the adminSdHolder (I’d think that the Active Directory Product Group should be involved if something as this is happening, how should they ensure security if other groups are mangling around with their mechanisms)?
- why is this coming up in RC? If a product is at Release Candidate Level, it’s mostly finished and usually there are not this many changes approved afterwards (unless they are critical). I hope that this will be fixed!
Thanks David for finding this one, very interesting, and I hope it’ll be fixed!
See Davids Blog for his post
See my blog-post about AdminSdHolder
And since I wanted to mention this: if you are in Europe (or want to come), The Experts Conference (TEC) is in Berlin next week and it is THE place for Active Directory and Exchange.