question

GreggHughes-3883 avatar image
0 Votes"
GreggHughes-3883 asked LucasLiu-MSFT commented

ADSS Security references obsolete Exchange admin accounts

Good afternoon, all!

I have been tasked with validating and cleaning up a customer's ADSS structure. One of the things I've found is that there are some orphaned SIDs that refer back to an obsolete Exchange installation and transporting Exchange information between sites. I don't have info on how on-prem Exchange was decommissioned; I do know that's a nice area to injure yourself. My preference in the past has been to decommission all but one on-prem server, shut that one down, but leave all the AD-Exchange stuff to make managing O365 a little easier.

Question is - would archiving and deleting those entries be a bad thing for ADSS?

Thanks!

office-exchange-server-administrationwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GreggHughes-3883 avatar image
0 Votes"
GreggHughes-3883 answered LucasLiu-MSFT commented

HI, Lucas!

AFAIK, there is no more on-prem Exchange in the organization. That's probably at the root of why I'm seeing these entries. As for where the Exchange comes from, the three screen shots should help. 40824-2020-11-18-09-20-19.png40853-2020-11-18-09-21-35.png40825-2020-11-18-09-22-38.png
There are three orphaned SIDs, but they're referenced several times. Each of the orphaned SIDs point to an Exchange-related special permission.

I suspect I'll be trawling through their AD to fix the Exchange references and clean out the corners; a little more than an Friday afternoon chore.....

Thanks!

Gregg



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GreggHughes-3883 ,
Much appreciate for the screenshots provided, which are of great help in understanding issue background.

Are you looking at the properties of a certain site? By comparing the default permission list in my environment, I think the 3 concerned SIDs were left after removing Exchange organization. They may have certain permissions to "Ashburn" in the past.
41053-11111.png

Considering that we no longer have such Exchange organization, it's recommended to safely remove them. This will not have any impact on your site, nor will it affect your ADSS structure.

Hopefully the above information is clear and useful.



If the response is helpful, please click "Accept Answer" and upvote it.



1 Vote 1 ·
11111.png (31.5 KiB)
LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered LucasLiu-MSFT commented

Hi @GreggHughes-3883 ,
Do you mean Active Directory Site and Service by ADSS? If not, would you mind describing in detail what you are referring to.
Is your environment hybrid deployment now? If so, when directory synchronization is enabled for a tenant and a user is synchronized from on-premises, most of the attributes cannot be managed from Exchange Online and must be managed from on-premises. So if you still need the local Active Directory and Exchange information, you cannot disable all local Exchange servers.
For more information you could refer to:How and when to decommission your on-premises Exchange servers in a hybrid deployment



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.





· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello, Lucas!

Thanks for the information. It is, indeed, the Active Directory Sites & Services I am referring to. There is no current Exchange on-prem and no hybrid deployment for Exchange. I don't know yet about the Azure AD Connect - if that's one-way trusted and was instituted with an on-prem Exchange, that would account for the orpaned SIDs. I'll be looking in that direction.

Thanks!

G

0 Votes 0 ·

Hi @GreggHughes-3883 ,
what is the environment of your Exchange?
Does the SID you mentioned refer to your AD account? If so, based on my knowledge, the SID of the AD account will not have any impact on the structure of AD site and service, and the SID of the AD account will not be stored in the AD site and service. If not, would you mind describing in detail what SID is referring to?



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




0 Votes 0 ·