Removing the nested highly privileged builtin AD groups to flatten the structure just AD User only with no groups?

EnterpriseArchitect 4,721 Reputation points
2023-03-15T04:45:35.53+00:00

Hi All,

I'm currently running Hybrid Exchange OnPremise 2019-Exchange Online with no mailboxes on-premise, and OnPremise AD DS is synced to Azure AD via Azure AD Connect.

What are the consequences of removing the following highly privileged nested builtin AD groups:

'Organization Management'
    'Exchange Organization Administrators'
        'Enterprise Admins'

When I joined the company, the above structure was already in place, and I wanted to flatten the design to simplify AD group membership.

I would be grateful for any assistance you can offer.

https://learn.microsoft.com/en-us/exchange/built-in-role-groups-exchange-2013-help

https://learn.microsoft.com/en-us/exchange/permissions/permissions?view=exchserver-2019#role-groups

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,071 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,838 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,168 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,341 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,881 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 141.3K Reputation points MVP
    2023-03-16T12:36:54.4833333+00:00

    Ok, gotcha, you can remove nested groups yes, but if you do, the same caveat applies. Make sure the Exch Admin accounts are direct members of the parent Organization Management group.

    Enterprise Admins is not a member of Exch Org mgmt by default.


2 additional answers

Sort by: Most helpful
  1. Andy David - MVP 141.3K Reputation points MVP
    2023-03-15T16:22:12.74+00:00

    There is no point in removing those groups honestly :)

    Doing so, will probably break your access to Exchange at some level.

    The next 2019 CU will recreate them when setup/prepareAD is run if they are removed regardless:

    https://learn.microsoft.com/en-us/exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019#step-2-prepare-active-directory

    Remove all the users from those groups who do not need access, but do not remove any member of the Exchange org Mgmt group that is used to manage the Exchange org.

    1 person found this answer helpful.

  2. Limitless Technology 43,926 Reputation points
    2023-03-15T16:14:15.65+00:00

    Hello

    Thank you for your question and reaching out. I can understand you are having query\issues related to Built in AD groups.

    As you have mentioned that you are using Hybrid Exchange environment and These are built-in groups which were created during the deployment of AD and Exchange.

    Hence It is advisable to do not remove these groups , However you can remove Users from these groups which are not needed.

    --If the reply is helpful, please Upvote and Accept as answer--