Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Elevation of privileges possible when Active Directory permissions role is granted in Exchange Server 2019 and 2016


View products that this article applies to.

Symptoms

In Microsoft Exchange Server 2019 or Exchange Server 2016, you can assign the "Active Directory Permissions" role to a user, a group, or a role group. The assignment can be limited by using a management scope so that the assignee can only use the permissions granted by this role only on the specific objects within the scope. The assignment can be limited to a specific recipient write scope or configuration write scope. However, even if both recipient and configuration scopes are limited to a narrow scope, there is an easy way for users to hold the "Active Directory Permissions" role to elevate their permissions to the whole Exchange organization.

↑ Back to the top


Resolution

To fix this issue, install one of the following updates:
For Exchange Server 2019, install the Cumulative Update 5 for Exchange Server 2019 or a later cumulative update for Exchange Server 2019.​
For Exchange Server 2016, install the Cumulative Update 16 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016.

↑ Back to the top


References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top


Keywords: CI114709, kbHotfixAuto, kbqfe, kbfix, kb, elevation of privileges possible when AD permissions role is granted

↑ Back to the top

Article Info
Article ID : 4547708
Revision : 4
Created on : 3/17/2020
Published on : 3/17/2020
Exists online : False
Views : 256