Please consider donating: https://www.corelan.be/index.php/donate/


1,532 views

Exchange 2007 Administration : Setup and Delegation

Management tools for 32bit OS

Download from : http://www.microsoft.com/downloads/details.aspx?familyid=6BE38633-7248-4532-929B-76E9C677E802&displaylang=en. During installation, you need to have access to AD. Furthermore, the tools won’t work on Vista. You’ll get a similar error when those conditions are not met: 
 101207_1545_Exchange2001
Check http://technet.microsoft.com/en-us/library/bb232090.aspx for more information about installing the Management Tools.

Powershell cheat sheet

Powershell supports tab-completion & command rotation
Help on a certain command : get-help command
Show all fields : add | format-list (or FL) at the end of the command. If you want to put the fields in a table, use | format-table (or FT)
Find commands that have keyword in the cmdlet : get-command *keyword*
If you want a command to pause processing and ask for approval every time, use the -Confirm parameter. If you want to overrule confirming, you can use the -Force parameter (Not all cmdlets will accept -Force, so test before you put the script in production)
You can get the EMS quick reference by running the quickref command. (This will open a html page.)
The -whatif parameter will allow you to simulate a certain command, without really executing it. If you add -validate, the prerequisites for running the cmdlet will be checked as well.
If you want to log what you are doing in PowerShell, you can use Start-Transcript c:\MySession.txt -Append to start logging and Stop-Transcript to stop logging. The textfile will contain all commands and the output from the Powershell sessions between the Start- and Stop- command.
If you want to repeat something for a number of times, you can use 1..10 | ForEach { "do something here" }

More tips & tricks can be found at http://technet.microsoft.com/en-us/library/bb397216.aspx

Schema update : setup.com (from Exchange installation DVD)

If organization includes Exchange 2000 or 2003 servers : /PrepareLegacyExchangePermissions (run with Enterprise Admin rights)
On schema master of forest : /PrepareAD (run with Enterprise Admin and Schema Admin rights. Updates schema (same as /PrepareSchema) + current domain)
In each other domain (except the domain where /PrepareAD was used) : /PrepareDomain (run with Enterprise Admin or Domain Admin rights)

Set up organization

First server : if you have prepared the Schema and AD, you can run the setup with Domain Admin rights. If you did not apply the schema changes yet, run the setup with Enterprise Admin rights (because the Schema updates will be run during setup preparation).
Other servers : either with Domain Admin rights or via account that was assigned during Server Provisioning process :
setup.com /NewProvisionedServer:Servername /Serveradmin:Useraccount
(this will allow non-Domain Admins to set up a Exchange server in their domain.)
If you want to install an Exchange 2007 server into an existing 2003 organization, you need to be member of the Exchange Admins group. After installing the 2007 server, a routing group will be created to allow for message routing between 2003 and 2007.
If you want to delegate Server Admin rights to a specific user account on a specific server, you can either use the wizard, or use the following EMS command : Add-ExchangeAdministrator -Identity "contoso.com/Users/KwekuA" -Role ServerAdmin -Scope server1.contoso.com

During setup, you will need to specify whether you want to support Outlook 2003 and earlier clients as well. If you want to support these clients, a public folder will be created. If you only want to support OL2007 and higher, no public folder will be created (which will provide you with one additional Storage Group)

Change list of Global Catalog and Domain Controllers used by Exchange

By default, Exchange will try to automatically find the GC’s and DC’s it can use. If you have dedicated certain machines to support Exchange services, then you can use the set-exchange server cmd-let, with the following parameters :
– StaticConfigDomainController
– StaticDomainControllers
– StaticExcludedDomainControllers
– StaticGlobalCatalogs

Delegate Recipient Admin rights in a multi-national/distributed environment

If you have multiple domains/admins in your environment, and you don’t want every admin to be able to manage all mailboxes (or in other words : if you want to restrict management of mailboxes) you won’t be able to use the Exchange Recipient Admins group. This group was added to the ACL of AD on a global level, on a domain basis, so if you add someone to this group using the Exchange delegation wizard, that person will get access to every recipient object in the domain. If you want to grant recipient management to certain people, but you don’t want to allow management over all recipients, you’ll have to create a new AD Group and use that group to set a new ACL on the objects that can be managed by those people. The permissions that must be assigned are (from http://msexchangeteam.com/archive/2007/02/12/435171.aspx ):
Write access to the following property sets:
Exchange Personal Information
Exchange Information
Write access to the following attributes:
legacyExchangeDN
displayName
adminDisplayName
displayNamePrintable
publicDelegates
garbageCollPeriod
textEncodedORAddress
showInAddressBook
proxyAddresses
mail
Create msExchDynamicDistributionList objects access right
Delete msExchDynamicDistributionList objects access right
Full control over msExchDynamicDistributionList objects
Generic Read access right (includes Read Permissions, List Contents, List Object, Read All Properties)
Additionally :
Exchange View Only Administrator role
The ‘Access Recipient Update Service’ extended right on the Exchange 2007 administrative group. This extended right is required because in Exchange 2007 address related information is stamped on the recipient during the provisioning process.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists Container container within the Exchange organization. These rights are required so that the recipient administrator can execute the Update-AddressList cmdlet.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container within the Exchange organization. These rights are required so that the recipient administrator can execute the Update-EmailAddressPolicy cmdlet.

If you want to see who has Administrator access : use the Get-ExchangeAdministrator EMS cmd-let.
If you want to grant Exchange Server Administrator access for a specific account, to a specific server, use the Add-ExchangeAdministrator –Identity UserAccount –Role ServerAdmin –Scope SERVERNAME EMS command. Remove-ExchangeAdministrator allows you to revoke permissions again.

© 2007 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories