This article describes how to obtain and use a script that restricts access to the Exchange Domain Servers groups across a forest.
A default Exchange installation creates an Exchange Domain Servers group for each domain within the forest. This group contains the computer accounts for each Exchange server within a given domain. These groups are granted access to all Exchange public folder and mailbox stores in the forest. Customers may want to restrict access to mailbox stores to only the local server that hosts the stores.
To further enhance the security model of Exchange, a script is available from the Microsoft Download Center that restricts access to the Exchange Domain Servers groups across the forest.
The following file is available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
The script must be run for each Exchange server in the organization and the script requires the distinguished name of the Exchange server, for example:
cscript edslock.vbs "CN=Mail1,CN=Servers,CN=America AG,CN=Administrative Groups,CN=Microsoft, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=America,DC=microsoft,DC=com
The script performs the following actions:
- Sets a Deny Receive-As Access Control Entry (ACE) for all of the Exchange Domain Servers group on the Exchange Server object
- Sets an explicit Allow Receive-As ACE for the local server for its own public folder and mailbox stores
You need to run the script again in the following scenarios:
- When you add a new Exchange server to an existing Microsoft Windows 2000 domain that contains Exchange servers, or upgrade an Exchange Server 5.5 computer (in place) to Exchange 2000.
Default permissions are applied when a new Exchange server is added to an existing domain that already hosts Exchange servers. The script must be run again to specify the name of the new Exchange server. The script does not need to be run again for the existing Exchange servers.
- When you add a new public folder or mailbox store to an existing Exchange Server.
The script must be run again to specify the name of the Exchange server to ensure that the restricted permissions are set for new mailbox stores.
- When you add a new domain that will host Exchange servers to the forest.
The script must be run again for each Exchange server in the forest because the creation of a new domain that hosts Exchange servers sets permissions at the organization level. The script should be run after the domainprep phase of the Setup installation process.
The Exchange Domain Servers group only contains the Exchange server computer accounts. If the group membership has been modified to allow custom processes to perform administrative tasks, these processes may require modification if any process relies on cross-domain permissions. Microsoft recommends that you create an alternative Windows 2000 group with appropriate permissions based on the requirements of the administrative process.
Script Deployment Guidelines
The script can be run on any server in the forest and does not have to be copied locally to each Exchange server. The account that runs the script must have full write access to the configuration naming context. Microsoft recommends that the Exchange Full Administrator perform this function because Exchange Administrators and Domain Administrators do not have these permissions.
If you restore an information store from a backup tape to a different server, you must run the script again to reset the permissions on the store.
EDSlock Q313807 Updates
To verify that the patch has been installed on the computer, confirm that the following registry key has been created on the server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 2000\SP2\Q313807
To verify the individual files, use the date/time and version information provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 2000\SP2\Q313807\filelist
The script (EDSlock.vbs) is installed in the following directory:
The script is not run as part of the installation process.