Exchange Onsite Removal
I encountered this while running PingCastle and cleaning up domain
Company had Exchange Onsite then moved to Exchange365
PingCastle reports vulnerable schema class msExchStorageGroup/PossSuperiorComputer
logon with a user that is a member of SchemaAdmins. Remember they need to be a member before logging in, the user gets their ticket when logging in.
run this super-secret command in powershell/cmd as Administrator
regsvr32.exe schmmgmt.dll
now you can add a very dangerous Snap-In to MMC
You may need to make this change, if not continue to remove the possible superior instead.
removing the Possible Superior
more info here https://www.zubairalexander.com/blog/active-directory-schema-management/
Step 2 aka HA you thought you were done but NOOOOO
privileges in a GPO is a way to become administrator without being part of a group
Download a program called PingCastle and run it against your domain controller, just choose the defaults, it creates an HTML report. Open report and scroll all the way down to GPO, Privileges. Note there may be multiple pages.
you will see entries for DomainName\Exchange Servers, and DomainName\Exchange Enterprise Servers
to change this you need to start up group policy editor, PingCastle listed the name of the policy to edit, Local Policies/User Rights Assignment edit and remove any entries referring to your mail server. Remember to take a screenshot in case you delete something by accident, there is no UNDO button in Group Policy.
Step 3; aka WTF more steps?!?!
Check your published AD services
Now we can see there is an Exchange Server listed with an AutoDiscover record