Default permissions of "Send As" for "Account Op's"

From: Michael Devlin (Michael.Devlin@figleaves.com)
Date: 02/28/02 

Date: Thu, 28 Feb 2002 17:47:08 -0000
From: "Michael Devlin" <Michael.Devlin@figleaves.com>
To: <focus-ms@securityfocus.com>

System: Windows 2000 SP2
                Exchange 2000 SP2

I have checked this on our live domain and a test domain.

It appears that "account operators" group , by default has "Send As"
permission on new users..... This is uninherited, so it will be set
wherever the user is created within AD.

This then means that anyone in an Exchange20000 environment who is an AO
is able to send mail as anyone else.

Could someone please confirm this....

It also brings to light another question.... The default permissions set
upon creation of a user are derived from where? Ie is there a
permissions "template"?

Regards

Michael Devlin

Relevant Pages

  • RE: Default permissions of "Send As" for "Account Ops"
    ... Account Ops have full control permissions of every new user object by default. ... They are very useful free reference material--the book is even better. ... > I have checked this on our live domain and a test domain. ...
    (Focus-Microsoft)
  • Re: How can I prevent a certain program from being run?
    ... ***Do testing on a test domain, not your production domain, you can cause ... This is NOT and exe file, and it's not a matter of permissions. ... HOW TO Set the My Documents Folder as Private in Windows XP ...
    (microsoft.public.windowsxp.general)
  • Win 2003 - Share can be read with no NTFS permission?
    ... I have small test domain with couple of machines. ... I shared folder "ShareA", with default permissions. ... NTFS Security permissions ...
    (microsoft.public.win2000.security)