ADSS Security references obsolete Exchange admin accounts

Gregg Hughes 291 Reputation points
2020-11-16T21:52:34.777+00:00

Good afternoon, all!

I have been tasked with validating and cleaning up a customer's ADSS structure. One of the things I've found is that there are some orphaned SIDs that refer back to an obsolete Exchange installation and transporting Exchange information between sites. I don't have info on how on-prem Exchange was decommissioned; I do know that's a nice area to injure yourself. My preference in the past has been to decommission all but one on-prem server, shut that one down, but leave all the AD-Exchange stuff to make managing O365 a little easier.

Question is - would archiving and deleting those entries be a bad thing for ADSS?

Thanks!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,942 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,373 questions
0 comments
Accepted answer
  1. Gregg Hughes 291 Reputation points
    2020-11-18T15:32:23.15+00:00

    HI, Lucas!

    AFAIK, there is no more on-prem Exchange in the organization. That's probably at the root of why I'm seeing these entries. As for where the Exchange comes from, the three screen shots should help. 40824-2020-11-18-09-20-19.png40853-2020-11-18-09-21-35.png40825-2020-11-18-09-22-38.png
    There are three orphaned SIDs, but they're referenced several times. Each of the orphaned SIDs point to an Exchange-related special permission.

    I suspect I'll be trawling through their AD to fix the Exchange references and clean out the corners; a little more than an Friday afternoon chore.....

    Thanks!

    Gregg

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lucas Liu-MSFT 6,161 Reputation points
    2020-11-17T09:03:13.617+00:00

    Hi @Gregg Hughes ,
    Do you mean Active Directory Site and Service by ADSS? If not, would you mind describing in detail what you are referring to.
    Is your environment hybrid deployment now? If so, when directory synchronization is enabled for a tenant and a user is synchronized from on-premises, most of the attributes cannot be managed from Exchange Online and must be managed from on-premises. So if you still need the local Active Directory and Exchange information, you cannot disable all local Exchange servers.
    For more information you could refer to:How and when to decommission your on-premises Exchange servers in a hybrid deployment

    ----------

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.