it manager salary

Guarding You Exchange Organization Against Rogue System Administrators

Rogue System Administrator’s are in every organization.  How do you protect your exchange organization, from these administrators that went bad, but are still employed in your establishment?

The first thing that probably came to mind would be to fire the administrator, but in the eyes of other individuals, the administrator may appear to be a good person, with no grounds to be fired. This individual knows exactly how to “fly below the radar”, and not be noticed by upper management, but you know that they are there.  rogue system administrators

In fact, you see some of the errors that they have made in your exchange organization, because of them not having any training with exchange server. All this individual knows how to do is create mailboxes in exchange server, but when there is an issue with the server , they do not know how to resolve it.

A rogue administrator, like I said earlier, is an administrator that has gone bad.  In other words it is a person who behaves badly, but is still liked, in spite of their behaviour. Longman’s dictionary, also further defines this person as a man who is dishonest, and has a very bad character.

Any Administrator that has admin rights in an Active Directory environment, also has rights by default, to administrate any exchange server organization.  At least from the perspective of Exchange 2010.  If I remember correctly, in Exchange 2003 an exchange administrator had to be in a specific group, in order to manage the exchange 2003 organization.

Many system administrator that administrates active directory, does not even know that they have administrative rights, to manage an exchange 2010 organization, as long as they are in the system admins group, in active directory.  At least this is so, especially in the environment where I am presently employed.

Using RBAC, or role base access control in exchange 2010, can assist any administrator in setting up boundaries, to not allow these rogue system administrators, access to the exchange 2010 organization.

The Microsoft Exchange Blog, recently created a post on their website, that shows you how to setup boundaries in exchange 2013, and exchange 2010, to help with the issues of rogue system administrators access to exchange. Below is an insert from the Exchange Team Blog from the article.  Really good read.  You can access the link just below the quote to see the entire article.


Occasionally I am asked the following question – how can I protect the messaging environment from a rogue administrator? There are essentially two concerns being asked in this question:

  1. How do I protect the data from being deleted by a rogue administrator?
  2. How do I protect the data from being accessed and/or altered by a rogue administrator?

Sometimes this discussion leads to a discussion about only the chosen backup architecture. The reality is that whether you implement Exchange Native Data Protection or a third-party backup solution, a backup, by itself, does not protect you from rogue administrators; it only mitigates the damage they potentially cause. Any administrator that has the privileged access to the messaging data (whether it be live data and/or backup data), can compromise the system. Therefore, some operational changes must be implemented within the organization in order to reduce the attack surface of an administrator who has gone rogue.

Read the entire Article at the Exchange Team Blog

Implementing RBAC in exchange 2010 can reduce the attack surface in Exchange 2010 against and rogue administrator.

By Andrew Moss

exchange 2003 to 2010 migration

Exchange 2003 to 2010 Migration / How to Remove the Last Legacy Exchange Server From Your Environment

exchange 2003 to 2010 migrationMore than likely If you have partially completed your exchange 2003 to 2010 migration, then you are probably one of the many exchange administrators that still has legacy exchange servers installed, as a part of your organization. I know that I am not the only Administrator with this configuration.  There should be many others on the planet, just like me.

If you are like me, then you are one of those administrators that did not pay much attention to completely migrating exchange 2003 to 2010, because everything was running smooth with exchange 2003, and exchange 2010 as part of the same organization. Don’t be the last administrator on the planet to upgrade exchange 2003 to 2010, or to the latest exchange server version.

Exchange server 2003 has reached it’s end of support date since April 8, 2014, as per Microsoft Product Life-cycle website, and a blog post at the Microsoft Exchange Blog website.  If you still have exchange 2003 mixed with 2010 in your environment, then you should begin phasing out exchange 2003 servers out of your 2010 environment, in order to get assistance from Microsoft when you need it.

I am not saying that you may not get any assistance if the environment is mixed, but who knows.  Microsoft Support  may ask you to bring your environment up to date first, then offer you assistance afterwards.  Why wait until you need assistance. Now is the time to begin your transition to exchange 2010, or exchange 2013.

Every administrator will need some sort of assistance from Microsoft during the tenure of their career, even if you are a certified administrator.  I learned a long time ago that you will never know everything in relation to one system.  Everyone has a piece of the puzzle, and we are all much smarter together. As an Administrator you should strive to never be in a position, where you are unable to get assistance, when needed.

Even though Exchange server 2013 is the latest exchange product on the market, as of the creation of the article.  Exchange 2010 is still relevant. Mainstream support does not end until January 2015, and extended support has until January 2020.  Microsoft appears to always give at least a ten year span for any new created exchange product.  At least this is what I have seen.

Phasing out legacy Exchange 2003 servers from an Exchange server 2010 organization is an integral step in any exchange 2003 to 2010 migration  process. I would even go as far as to say that, if you do not do this step, you would not be able to introduce exchange server 2013 into your organization at all, until you organization has been converted to a pure exchange 2010 environment, with service pack 3 for exchange installed.

My Existing Exchange Environment and Issue

My present environment consists of  three exchange 2003 servers, with two exchange 2010 servers setup in a DAG, or Database Availability Group. My organization level is only on service pack one, or SP1 for short, with rollup update 6 installed. My exchange 2003 servers are running windows server 2003 with SP1, and my exchange 2010 servers are running windows server 2008 enterprise OS.

My main reason for attempting to move all legacy exchange 2003 servers our of our environment is firstly about compliance.  If Exchange 2003 is not supported any more, there is no need to keep it mixed with my Exchange 2010 servers.

Secondly, I want to begin the process of introducing an Exchange 2013 server into our existing organization.  To do this my environment must be a pure exchange 2010 and have install at least the latest service pack.  At the creation of this article SP3 is the latest service pack available for Exchange 2010.

At first I thought about calling Microsoft support to assist me with moving the legacy exchange servers out of the environment, but Microsoft support only assisted you if the system is already broken. As an administrator, every year I would purchase a Five Pack Support pack from Microsoft to assist me whenever I needed assistance, with issues that I was unable to resolve on my own. I did not wanted to waste a call to Microsoft until I actually needed assistance.

The Plan

My plan was to first remove all legacy 2003 exchange servers out of the environment first, so I can  be in compliance with Microsoft.  My long term plan was to implement a pure Exchange Server 2013 environment by first moving to a mixed environment, with exchange 2010 and exchange 2013. My goal was to also complete all of the necessary tasks seamlessly in the background, without any of my front end users being disrupted.

To remove the legacy 2003 servers out of the environment, I found a document that was created by Microsoft that really took all of the guess work out of the project. The name of the document, and the link to the document is below. If you are in a similar position you should get a copy of the document.

Remove the legacy exchange server from an exchange server 2010 organization.

The document includes links to other needed resources that will help you migrate from exchange 2003 to 2010 by showing you how to prepare to move all legacy servers, from your exchange 2010 environment.

The first part of the document shows you how to prepare the exchange 2003 organization to remove the first legacy exchange servers from the environment   The second part shows you how to remove the last exchange 2003 server from the environment.

If your environment is mixed like my environment, then you probably have already  completed step 1 of the document, without even seeing the document.  This step consisted of moving all exchange 2003 mailboxes to exchange 2010 servers.

My exchange 2003 servers are just sitting in our environment being the host for the public folders, and still acting as the servers that are responsible for generating the Offline Address Book.

This is by far one of the best documents on the market that you can use to move the first and the last legacy exchange 2003 servers, from your environment. Exchange 2003 to 2010 migration is easy, as long as you are using the correct document.

Visit Microsoft site here to get the the document on how to move the legacy exchange servers out of your environment.  Using the document will give you a smooth exchange 2003 to 2010 migration.

By Andrew Moss


active directory operation failed insuff_access_rights

Active Directory Operation Failed insuff_access_rights

Encountering and error like “active directory operation failed insuff_access_rights” can only originate from Exchange Server 2010 or Exchange Server 2007, if you are trying to remove an Active Directory user, with an Exchange mailbox using the Exchange Management Console.  The error message can also appear if you are using the Exchange Management Shell.

active directory operation failed insuff_access_rights

Having a Summer Interns working with you as an Exchange Server Administrator can help you clean up many databases that you normally would never have time to clean up, especially an Exchange database.

More about the summer intern later, lets us get to the solution for this error first.  This error is normally triggered due to a permissions problems.  Even though you may be in the administrators group in Active Directory, or even a part of the Enterprise group you would still receive this error, as long as access rights are not inherited, from containers above.


Active Directory operation failed on *DomainController*. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 The user has insufficient access rights.

Exchange Management Shell command attempted:

’*OUStructure*’ | New-MoveRequest -TargetDatabase ‘Mailbox Database 1985885663′ -BadItemLimit ‘-1′


This error is very easily resolved.  This is so simple that even a newbie can resolve. I use the term newbie because every so often we all sometimes need assistance working with error messages that we have not conquered or seen before.  There is always good old Google. That is how you found this solution.

Step 1

Open Active Directory Users and Computers, and ensure that Advanced Features are selected by clicking on “View” and selecting “Advanced Features”.  Once this is done all you have to do is navigate to the users, or user account that you are experiencing the error message with.

Step 2

Open the properties of the user in question and select their “Security Tab”. Next click on the “Advance” tab and ensure that the check box is checked in front of the words “Include inheritable permissions from this object’s parent”.


Step 3

Click Next about two, or three times and then try to delete the user account in Exchange Management Console again.

active directory operation failed insuff_access_rights3

Now back to the Summer Intern, if you have time to read.  In the Country where I live, my Government created a program whereby they asked private Companies to Employee College and High School students at no cost to the Company.

The student is compensated by the government at the end of every week.  In my opinion, I thought this was a good idea.  It gives the student the opportunity to have been exposed to areas they normally would have not had an opportunity to do so. Because of the summer student that was assigned to my department, I was able to do extensive mailboxes cleanup in Exchange.

So, whenever you receive this message, “active directory operation failed insuff_access_rights”, remember your personal assistant Google, and you should easily be able to resolve this.

Exchange 2010 Distribution Group Not Receiving External Email2

Recovering Deleted Items in Outlook 2010 – A Typical Day in the Life of an Exchange Server Administrator

Recovering deleted items in Outlook 2010 is easy, as long as you the Administrator previously activated the retention policy on your back-end server, prior to your employees attempting to recover emails that they had deleted. Whether the emails were occidentally deleted, or intentionally deleted, once retention has been activated, recovery is possible.

Every Exchange Administrator already knows the challenges and difficulties associated with trying to restore an entire system, just to recover an individual email. At least this was the case in previous versions of Exchange Server, especially exchange server 5.5.  In newer versions of Exchange Server a term called Single Item Recovery is now possible.

A typical day in an Exchange Administrators life may include calls from users who accidental deleted one or more of their important emails.

Outlook 2010 deleted items recovery involves more than just the outlook client itself.  Exchange server on the back end plays an integral part in the recovery process.

Every trained Exchange Administrator knows that the retention policy for Exchange Server has to be activated on the back end, in order to be able to recover deleted items from outlook 2010 successfully.

To eliminate the problem associated with your users not being able to recover deleted emails, you should ensure that the retention policy on your Exchange Server is activated.

How to Ensure Retention Is Setup on Back End Exchange Server

  1. Open your Exchange Management Console, and then navigate to your Organization Configuration container. Click on “Mailbox” location in the displayed tree just below the Organization Configuration container.
  2. In the Right pane ensure that the “Database Management” tab is selected.

recovering deleted items in outlook 2010

In Exchange 2010 Server, the retention is setup on individual databases in the organization.  Each database can have its own retention policy setup.

  1. Double click any database from the display pane to setup and activate the deleted items retention settings, for the selected database.  This will bring up a screen like the one below.

recovering deleted items in outlook 2010_4


The configuration tabs above shows my deletion item retention to be seven days, and my mailbox retention policy to be fourteen days.  You can set you retention to be whatever amount of days you prefer, as long as the build in policy allows you to.

When I receive calls from uses enquiring about how to recover outlook deleted items all I normally do is take them through the steps below on how to retrieve deleted emails from outlook 2010.

Steps to Recover Deleted Emails in Outlook 2010

To recover you deleted item in Outlook all you have to do is open your Outlook Client and navigate to the “delete items” folder, in the left pane. See screenshot below.

recovering deleted items in outlook 2010_2


Next, click the “folder” tab from the menu bar, at the top of the outlook client to bring up the next set of menu items.

recovering deleted items in outlook 2010_3

Select “recover deleted items” folder from the sub menu and this will open a dialog box with all items that you have permanently deleted within the last seven days, or whatever amount of days the retention is set to.

Next, you will need to highlight the items that you want to recover and then “click the email icon at the top of the dialog box, to return the permanently deleted items back into your deleted items folder.

So, as you can see. Recovering deleted items in outlook 2010 is possible, once retention policies are setup on the backend of the Exchange Server.




it manager salary

Exchange 2010 Distribution Group Not Receiving External Email – Does this term Sounds Familiar?

If the term “exchange 2010 distribution group not receiving external email” sound familiar to you, then you are one of the many exchange administrators that experiences this issue from users on a daily basis, in your environment.Exchange 2010 Distribution Group Not Receiving External Email

Just the other day we created several email distribution list for our marketing department to be used for their marketing campaigns.    These distribution lists consisted of many other departments in the marketing department, including sales and residential sales.

Distribution lists may include groups within groups. By being and exchange server administrator, you should already be familiar with the term a group, being a part of another group.

When an email distribution list is created we would normally send a test email from an external email address to ensure that mail flow was working correctly, to the members of the list. Unfortunately, after the lists were created we totally forgot to do the normal test to one of the list.

Forgetting this step could sometimes be to you detrimental.  Detrimental does not imply the loss of a job, but sometimes you could be assumed by your peers as being careless, if they find out about it before you do.

Shortly after the distribution list was created, one of the members of the list send an email to the distribution list from and external email address, but did not receive the test email to their inbox.  Another test was send from an internal account, and the email was delivered successfully.

In conversation with the user, the question was asked “what happened to the email that customers send to us using the distribution lists?” My response to the user was that the customer should have received a non delivery report, and may have attempted to send the email again.

In trouble shooting the error I also did the same test, and did not receive an email to my inbox, when I used my external test account.  Sending the email internally worked fine.  Before I did the test I added myself to the distribution list, as a member so I could have tested the flow of emails to the group.Exchange 2010 Distribution Group Not Receiving External Email2

To cut a long story short, I immediately went to my favourite place, and typed my keywords “Exchange 2010 Distribution Group Not Receiving External Email” into the search box.  Immediately I was presented with many solutions that I had to sift through, for the correct solution.

As an administrator working in the field of Information technology, you should know by now that Google is your best friend, and is always your best source for finding most solutions, to issues that you may experience daily, as an exchange server administrator.

After sifting through the results that was presented to me by Google, I came across one solution that pointed me in the direction of how to resolve the issue.  Even though the result was not directly related, the answer that was given to the question on the forum was the correct solution.

Here is the link to the discussion that resolved my issue.

Even though the question was asked in reference to restricting a distribution list from persons sending email to the list. The same solution can be used to move the restriction from the list. If you are unable to access the link to the solution, just look at the Answer that was presented.  This would be the solution to “Exchange 2010 Distribution Group Not Receiving External Email”.




I want to Prevent Internal Email or a Distribution List to send an email to Exchange 2010 Distribution Lists? Is it possible???




If you go to the properties of a Distribution Group | Mail Flow Settings tab | Message Delivery Restrictions | Accept messages from | Only senders in the following list: – you can set there who can send to the DG.


This solution also alerted me to the fact that once a distribution list is created in exchange 2010, by default the security is set to not allow external persons to send emails to the list.  In exchange 2003 this was not the case.  By default any user, whether internal or external has the ability to send to a new distribution list.

By Andrew Moss