Article ID: 313807 - View products that this article applies to.
This article was previously published under Q313807
This article has been archived. It is offered "as is" and will no longer be updated.
This article describes how to obtain and use a script that restricts access to the Exchange Domain Servers groups across a forest.
A default Exchange installation creates an Exchange Domain Servers group for each domain within the forest. This group contains the computer accounts for each Exchange server within a given domain. These groups are granted access to all Exchange public folder and mailbox stores in the forest. Customers may want to restrict access to mailbox stores to only the local server that hosts the stores.
To further enhance the security model of Exchange, a script is available from the Microsoft Download Center that restricts access to the Exchange Domain Servers groups across the forest.
The following file is available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
Download Q313807engi386.exe now
Collapse this imageExpand this image
119591Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
(http://support.microsoft.com/kb/119591/EN-US/ )How to Obtain Microsoft Support Files from Online Services
Script UsageThe script must be run for each Exchange server in the organization and the script requires the distinguished name of the Exchange server, for example:
cscript edslock.vbs "CN=Mail1,CN=Servers,CN=America AG,CN=Administrative Groups,CN=Microsoft, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=America,DC=microsoft,DC=comThe script performs the following actions:
Script Deployment GuidelinesThe script can be run on any server in the forest and does not have to be copied locally to each Exchange server. The account that runs the script must have full write access to the configuration naming context. Microsoft recommends that the Exchange Full Administrator perform this function because Exchange Administrators and Domain Administrators do not have these permissions.
If you restore an information store from a backup tape to a different server, you must run the script again to reset the permissions on the store.
EDSlock Q313807 UpdatesTo verify that the patch has been installed on the computer, confirm that the following registry key has been created on the server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 2000\SP2\Q313807To verify the individual files, use the date/time and version information provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 2000\SP2\Q313807\filelistFile Installation:
The script (EDSlock.vbs) is installed in the following directory:
%WinDir%\System32\Q313807The script is not run as part of the installation process.