Hi Experts,
I am Deploying Exchange 2013 in an organization where currently Active Directory is handled and Administered by a different Admins and they want Exchange to be managed by another set of Admins. My customer wants to completely Isolate Administration and Management of both AD And Exchange. i have gone through some technet articles and tested option for both RBAC and Active Directory Split permission model. I think Active Directory Split Permission model would be helpful but while testing i came to know that, via Split permission Exchange admin can not create or delete User/Dist. Groups but still he can Edit or modify the details (City, office address, phone no. Department and display name etc.) which means that this is not fully separation of Roles between AD Admins and Exchange Admins.
please help me to resolve below queries and Scenarios if supported by Exchange Split permission model -
(1) only AD Admins should be able to create, Delete or modify the Security principles property in Active Directory. Exchange Admin should only need to modify Exchange related property/attributes from exchange Control panel or shell. they should not be able
to change the Display name, and other AD related common attributes via Exchange Admin centre or management shell.
(2) similarly i want to restrict my AD Admins from modifying or changing exchange related attributes by any means (ADSIEDIT, ADUC,). i want to restrict my AD Admins from assigning organization management or recipient management rights to them-self and do any modification on my exchange servers via Shell or Admin Centre and then Revoke the membership from Exchange Security groups. i want AD Admins and Exchange should do their respective tasks without any ability to change/edit or modify any settings of each others??
(3) I Want to restrict to open Exchange Admin Centre (ECP) via some limited Systems only. i know we can block to open ECP via internet but i want to restrict it to open within internal network as well and from limited systems of my Exchange Admin.
Regards,
Aanand Singh Karki
Regards, Aanand Singh