Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

exchange mailbox permissions and mailbox creation

31 views
Skip to first unread message

scale

unread,
Apr 22, 2008, 11:10:01 AM4/22/08
to
i have a team of people in a group and i want those users to be able to
create mailboxes. I have them delegated in aduc to create user accounts but
they cant create mailboxes.

I would also like these users to be able to open any mailbox.

How can i give permissions to this group so they can create mailboxes and
also open any mailbox of other users?

Would delegating them in Exchange System Manager to be Exchnage
Administrators at the Administrative Group level allow for this access?

andy webb

unread,
Apr 22, 2008, 12:00:21 PM4/22/08
to
Yes, that's correct. You need to delegate permissions within ESM.

Further, to open anyone's mailbox, there are restrictions to what groups the
team can belong to, and you'll need to set some special permissions at the
store, storage group, or server level. I would actually suggest using
separate accounts for this for both auditability and also so that you don't
run into some of the ACL issues around this. Look up how to create an
exmerge account for docs on creating the mailbox access rights.


"scale" <sc...@discussions.microsoft.com> wrote in message
news:5C271B0C-7304-4E21...@microsoft.com...

Jamestechman

unread,
Apr 22, 2008, 1:53:11 PM4/22/08
to
Custom delegated rights take a bit more work. To grant someone the
ability to create mailboxes they need the view-only role in additional
to acls on several Exchange attributes using DSACLS. You can download
the doc below on how to grant these rights.


Working with Active Directory Permissions in Microsoft Exchange Server
2003
http://www.microsoft.com/downloads/details.aspx?familyid=0954b157-5add-48b8-9657-b95ac5bfe0a2&displaylang=en


To mailbox-enable a user or inetOrgPerson object, the Exchange
administrator must apply the Exchange delegated role, Exchange View-
Only Administrator (or higher), on the target administrative group.
In addition, the Exchange administrator must have Read and Write
access to the following user or inetOrgPerson object attributes:
• adminDisplayName
• autoReplyMessage (ILS Settings)
• displayName (Display Name)
• dLMemDefault
• homeMDB (Exchange Mailbox Store)
• homeMTA
• legacyExchangeDN
• mail (E-Mail Address)
• mailNickname (Alias)
• mAPIRecipient
• mDBUseDefaults
• msExchADCGlobalNames
• msExchControllingZone
• msExchFBURL
• msExchHideFromAddressLists
• msExchHomeServerName (Exchange Home Server)
• msExchMailboxGuid
• msExchMailboxSecurityDescriptor
• msExchPoliciesExcluded
• msExchPoliciesIncluded
• msExchResourceGUID
• msExchUserAccountControl
• proxyAddresses (Proxy Addresses)
• showInAddressBook
• targetAddress
• textEncodedORAddress


James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com

0 new messages