Ok, gotcha, you can remove nested groups yes, but if you do, the same caveat applies. Make sure the Exch Admin accounts are direct members of the parent Organization Management group.
Enterprise Admins is not a member of Exch Org mgmt by default.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi All,
I'm currently running Hybrid Exchange OnPremise 2019-Exchange Online with no mailboxes on-premise, and OnPremise AD DS is synced to Azure AD via Azure AD Connect.
What are the consequences of removing the following highly privileged nested builtin AD groups:
'Organization Management'
'Exchange Organization Administrators'
'Enterprise Admins'
When I joined the company, the above structure was already in place, and I wanted to flatten the design to simplify AD group membership.
I would be grateful for any assistance you can offer.
https://learn.microsoft.com/en-us/exchange/built-in-role-groups-exchange-2013-help
https://learn.microsoft.com/en-us/exchange/permissions/permissions?view=exchserver-2019#role-groups
Ok, gotcha, you can remove nested groups yes, but if you do, the same caveat applies. Make sure the Exch Admin accounts are direct members of the parent Organization Management group.
Enterprise Admins is not a member of Exch Org mgmt by default.
There is no point in removing those groups honestly :)
Doing so, will probably break your access to Exchange at some level.
The next 2019 CU will recreate them when setup/prepareAD is run if they are removed regardless:
Remove all the users from those groups who do not need access, but do not remove any member of the Exchange org Mgmt group that is used to manage the Exchange org.
Hello
Thank you for your question and reaching out. I can understand you are having query\issues related to Built in AD groups.
As you have mentioned that you are using Hybrid Exchange environment and These are built-in groups which were created during the deployment of AD and Exchange.
Hence It is advisable to do not remove these groups , However you can remove Users from these groups which are not needed.
--If the reply is helpful, please Upvote and Accept as answer--