This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi All,
I'm currently running Hybrid Exchange OnPremise 2019-Exchange Online with no mailboxes on-premise, and OnPremise AD DS is synced to Azure AD via Azure AD Connect.
What are the consequences of removing the following highly privileged nested builtin AD groups:
'Organization Management'
'Exchange Organization Administrators'
'Enterprise Admins'
When I joined the company, the above structure was already in place, and I wanted to flatten the design to simplify AD group membership.
I would be grateful for any assistance you can offer.
https://learn.microsoft.com/en-us/exchange/built-in-role-groups-exchange-2013-help
https://learn.microsoft.com/en-us/exchange/permissions/permissions?view=exchserver-2019#role-groups
Ok, gotcha, you can remove nested groups yes, but if you do, the same caveat applies. Make sure the Exch Admin accounts are direct members of the parent Organization Management group.
Enterprise Admins is not a member of Exch Org mgmt by default.
That's great, many thanks @Andy David !
There is no point in removing those groups honestly :)
Doing so, will probably break your access to Exchange at some level.
The next 2019 CU will recreate them when setup/prepareAD is run if they are removed regardless:
Remove all the users from those groups who do not need access, but do not remove any member of the Exchange org Mgmt group that is used to manage the Exchange org.
Hi ,
No, I don't want to remove or delete the built-in AD security group, but just wanted to remove the nested structure so that it does not overly complicate the users and the service accounts in the groups.
So in other words, it is re-organizing, not removing.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello
Thank you for your question and reaching out. I can understand you are having query\issues related to Built in AD groups.
As you have mentioned that you are using Hybrid Exchange environment and These are built-in groups which were created during the deployment of AD and Exchange.
Hence It is advisable to do not remove these groups , However you can remove Users from these groups which are not needed.
--If the reply is helpful, please Upvote and Accept as answer--
Hi @limitless Technology,
I am not removing or deleting the built-in AD groups below, but just wanted to make them not nested three levels like in the below structure:
'Organization Management'
'Exchange Organization Administrators'
'Enterprise Admins'