Exchange Onsite Removal

1st April 2022

I encountered this while running PingCastle and cleaning up domain

Company had Exchange Onsite then moved to Exchange365

PingCastle reports vulnerable schema class msExchStorageGroup/PossSuperiorComputer

logon with a user that is a member of SchemaAdmins. Remember they need to be a member before logging in, the user gets their ticket when logging in.

run this super-secret command in powershell/cmd as Administrator
regsvr32.exe schmmgmt.dll

now you can add a very dangerous Snap-In to MMC

https://www.zubairalexander.com/blog/wp-content/uploads/2018/08/Adding-schema-snap-in.png

You may need to make this change, if not continue to remove the possible superior instead.

removing the Possible Superior

more info here https://www.zubairalexander.com/blog/active-directory-schema-management/

Step 2 aka HA you thought you were done but NOOOOO

privileges in a GPO is a way to become administrator without being part of a group

Download a program called PingCastle and run it against your domain controller, just choose the defaults, it creates an HTML report. Open report and scroll all the way down to GPO, Privileges. Note there may be multiple pages.
you will see entries for DomainName\Exchange Servers, and DomainName\Exchange Enterprise Servers

to change this you need to start up group policy editor, PingCastle listed the name of the policy to edit, Local Policies/User Rights Assignment edit and remove any entries referring to your mail server. Remember to take a screenshot in case you delete something by accident, there is no UNDO button in Group Policy.

Step 3; aka WTF more steps?!?!

Check your published AD services

To show AD Services they need to be turned on

Now we can see there is an Exchange Server listed with an AutoDiscover record