Hi : I am having Exchange 2007 SP2 with Exchange 2010 environment . I am trying to restrict members of the local administratos group on the exchange 2007 servers by using group policy . Currently im having the following members of the local amin group on exchange 2007 SP2 servers: 1.Domain admins 2.Exchange organization administrators 3.Exchange Trusted Subsystem Is this is correct or there is something missing on my local administratos group members ? My second question : Is it safe to add group policy to restrict members of the local admins onexchange servers ? as i know , i am afraid if i apply a rollup update or SP in the futrue and it tries to add another member in the local admin group , and then my group policy will remove that member .What do you think ? for example ,SP2 binaries add the Exchange Trusted Subsystem to the local admin group automatically. ammarhasayen

It is unlikely that a service pack or rollup would change the permissions. If it did, then it should be documented. However if you want to operate in a restricted environment then you should also have a test environment so that you can confirm that your restrictions don't stop the application from working. This is one of those settings which you need to test. Administrator (the local one) is missing from the list and I would place it back in. If you don't and the server has something wrong with its domain membership then you would be completely locked out. Simon.Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/

Thanks , But still Mcirsooft should have recommendation like : Hey Exchange dudes, the local admins group in exchange 2007 sp2 should contains 1 2 3 members , anything else is extra.ammarhasayen

Perhaps they should. However I have been working with Exchange on public forums for six years and this is the first time I have seen this kind of question asked. If someone gets in to a position where they can add themselves in to a power group like local admins, then you have bigger problems to worry about. Simon.Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/

I have already restricted Group for power users set to empty.I am trying to configure the local administrators now.ammarhasayen

The ones you have in there are the normal ones, and you aren't missing any. You can add more if your organization requires it.

There is no requirement that domain admins be in the local admin group. The other 2 are really the basic ones you need.