Recipe3.9.Checking Which Account or Group Has Been Assigned Permissions During ForestPrep

Recipe 3.9. Checking Which Account or Group Has Been Assigned Permissions During ForestPrep

Problem

Exchange ForestPrep was run at the time that the AD forest was first implemented and you now need to know which account or group has been granted Exchange Full Administrator permissions.

Solution

Using graphical user interface

Open ADSI Edit (ADSIEdit.msc)
Browse to the Exchange Organization container object:
```
 CN=<orgName>, CN=Microsoft Exchange,CN=Services,CN=Configuration, <ForestDN>
```
Note that if Exchange Server 2003 ForestPrep (as opposed to Exchange 2000) has been run, you may see a GUID here instead of a friendly name. For example:
```
 CN={335A1087-5131-4D45-BE3E-3C6C7F76F5EC},CN=Microsoft Exchange, CN=Services,CN=Configuration,DC=company,DC=com
```
Right-click on the organization object and select Properties.
Click the Security tab, then click the Advanced button. Look for an account or group that has the permissions shown in Table 3-1.

Table 3-1. Permissions granted by forestprep
Type	Permission	Inherited from	Apply to
Deny	Receive As	<not inherited>	This object and all child objects
Deny	Send As	<not inherited>	This object and all child objects
Allow	Full Control	`CN=Microsoft Exchange, CN=Services, CN=Configuration, <ForestDN>`	This object and all child objects

Using a command-line interface

Find the Exchange organization name using the following command:

 > dsquery * forestroot "CN=Microsoft Exchange,CN=Services,CN=Configuration,  <ForestDN>" -scope subtree -filter "(objectclass=msExchOrganizationContainer)"

For example, this will produce the organization name for the robichaux.net domain:

> dsquery * "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=robichaux,DC=net"     -scope subtree -filter "(objectclass=msExchOrganizationContainer)"

This query will return a distinguished name that you can use as the target for the dsacls.exe utility. For Exchange 2000, this will be the friendly organization name; for Exchange Server 2003, it may be a GUID. Use the returned DN in a dsacls query:

 > dsacls "CN<orgName>,CN=Microsoft Exchange,CN=Services,CN=Configuration, <ForestDN>"

For example:

 > dsacls "CN={335A1087-5131-4D45-BE3E-3C6C7F76F5EC},CN=Microsoft  Exchange,CN=Services,CN=Configuration,DC=robichaux,DC=net"

The output from dsacls will show the permissions on the object. Look for the same account or group as suggested in the GUI solution.

Discussion

Many larger organizations tend to run Exchange ForestPrep at the time the AD forest is implemented. They do this to avoid the replication impact caused by running ForestPrep in a fully populated, live AD infrastructure. This may precede the installation of the first Exchange Server 2003 Server by some time and it may not be well documented. At the time Exchange ForestPrep is run, the setup program prompts for an account (or group) name. This account or group is then given Exchange Full Administrator permissions. When you want to install the first Exchange server, you may need to check, and optionally change, the account or group has been assigned these permissions.

The reason Exchange Server 2003 ForestPrep stamps a GUID instead of an organization is quite sensible. It gives you more flexibility to change your mind about the name in the time between running ForestPrep and installing the first Exchange Server 2003 Server. The Exchange 2000 ForestPrep would assign an organization name as one of its tasks, making it necessary to run setup with the /removeorg option if you subsequently wanted to change the organization name.