• Yes, that is not possible. The Exchange team say that Exchange's log file folder MUST remain as created, i.e. with permissions for only Administrators, because otherwise, MSFT told them, MSFT would not support it.

    I know I can test this theoretically. But corporate reality is that service owners do not want to lose permissions and are less than helpful when you ask them to check if they can work with fewer permissions. It's always the same: principle of least privilege is a great but obviously not in our situation/for our application.

    Our company is too large to have one team for Windows Server and Exchange. There are lots of other applications with the same issue as well. We cannot just make all those hundreds of people into one team with essentially the same job description.

    We have similar issues with IIS (iismgr.exe refuses to work withoout admin rights, fixed via self-created "sudo" for Windows), Sharepoint (team say it falls apart completely if a certain icon is clicked without the clicker having admin rights), Tableau (has a cmd file that looks for a java.exe and then runs a Java program base64-encoded into the same batch file, won't run without admin rights),  and basically every piece of "enterprise software" imaginable. All "require" admin rights and the vendors never care to provide what permissions their software really needs or why and they just check whether they are run as admin and that's what they support.

    Of course, Microsoft themselves are among the worst perpetrators of this custom.

    VMS had a feature that would give a certain image certain privileges, but Windows doesn't have that (or at least I haven't found it yet). A Unix-like sudo is also not a good answer because the vast majority of Windows applications allow users to start programs from the open-file/save-file dialogue, rendering a sudo-based approach useless. (Tableau is a special case because it actually looks for a java.exe and hence anyone can provide it an exe file of their choice.)

    I am now looking into an approach where a job object limits the number of processes running within it with admin rights to one (the first started) but even that will not necessarily help with Exchange.

  • Andrew Brehm's profile was updated 1 year, 9 months ago

  • For a while now I have been trying to find out whether an Exchange admin has to be a local admin on the Exchange server.

    Answers in MSFT forums are contradictory.

    Most do not understand the question and keep saying that they do not have to be domain admins. (That was never an issue.)

    The others say that they don't have to be sysadmins but when asked about Exchange log files being readable only by the Administrators group, they also refer to the domain admin thing.

    Does anyone here know what the correct RBAC configuration is for Exchange? We don't want application admins to be sysadmins and MSFT appear not to want to tell anyone what permissions an Exchange admin really needs on an Exchange server.

    Any ideas?

  • MSFT appear not to have updated their documentation on Nano Server since 2017 and all information appears to be wrong or out-of-date.

    The NanoServerPackage module cmdlets don't work for me:

    PS C:UsersuserDocuments> Find-NanoServerPackage
    WARNING: Cannot find path 'C:UsersuserAppDataLocalNanoServerPackageProvidersearchNanoPackageIndex.txt'
    because it does not exist.
    WARNING: Save-HTTPItem: Bits Transfer failed. Job State:  ExitCode = -2147023651

    And there are no Nano Server packages on the Server 2019 ISO that I can find. (Apparently they were on the 2016 ISO.)

    All documentation I can find refers either to the NanoServerPackage module last updated in 2016 (which doesn't work) or to the NanoServer packages being on the ISO (which is not true for Server 2019).

    Does anyone know how I am supposed to install, for example, IIS on a NanoServer Docker image?

    (Note that I am not looking for a way to download a read-made image with NanoServer and IIS. I want a generic answer.)

    Any ideas?

  • Andrew Brehm changed their profile picture 1 year, 9 months ago

  • Andrew Brehm became a registered member 1 year, 9 months ago

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account