User Permissions

This is really doing my head in. I need 4 people to be able to create user accounts, but when they try and create an account they cannot create a mailbox for the user!! I have tried delegating Exchange Administrative View Only permissions to the group they are in but still no joy!! What am i missing here??

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

dtlokee

Is this the same problem you posted here?

http://www.techexams.net/forums/viewtopic.php?t=28453

What versions of Windows and Exchange are you using?

sprkymrk

billybob01 wrote:

This is really doing my head in. I need 4 people to be able to create user accounts, but when they try and create an account they cannot create a mailbox for the user!! I have tried delegating Exchange Administrative View Only permissions to the group they are in but still no joy!! What am i missing here??

Aren't they going to need more rights than "view" to create mailboxes on the Exchange Server?

Sie

Im not up to speed with exchange but dont the users need more that View rights to create the mailboxs??.......

blargoe

They have to have Exchange Administrator I believe.

EDIT: Not necessarily... if they have View only and read/write to the AD attributes listed in this Technet

http://technet.microsoft.com/en-us/library/5c5ab164-536d-4d86-a529-f6a34ce1da1c.aspx

sprkymrk

http://support.microsoft.com/kb/316792/

Sie

Dang you Mark finishing before me AGAIN.

Maybe if I go to do my work here you'll have beaten me to it.......

dynamik

sprkymrk wrote:

Aren't they going to need more rights than "view" to create mailboxes on the Exchange Server?

That was my first reaction too, but if you follow the link from the other thread, that's all the page calls out for.

http://technet.microsoft.com/en-us/library/bb124053.aspx

technet wrote:

What permissions do I need to be able to create and delete Exchange Server 2003 users?

If you are responsible for both user and mailbox management, you need to have permissions to create a user object in Active Directory. For example, you could be a Domain Admin, Account Operator, or you might have delegated access to a specific organization unit. In addition, you need the following Exchange permission:

* The Exchange View Only Administrator role to the administrative group where the target Exchange Server 2003 server exists.

If you are responsible for mailbox-enabling users post-account creation, you can use a reduced set of permissions (in addition to the Exchange View Only Administrator).

blargoe wrote:

They have to have Exchange Administrator I believe.

EDIT: Not necessarily... if they have View only and read/write to the AD attributes listed in this Technet

Wouldn't the Exchange Administrator role be overkill for this task since that would give them much more control over the Exchange environment as well?

sprkymrk

Interesting... Anyone seen royal lately? He's the Exchange guru.

@Sie
All I can say is you must type reeeeeeeaaaaalllllyyyy slow for me to be able to beat you to the "post".

sprkymrk

I also just noticed something else in the tech net quote - is mailbox "management" the same thing as "creation"?

royal

Exchange 2003:
Give a user Exchange Administrator permissions to the Administrative Group they need to create users.
Have that user use the Exchange-Specific Management Tools to open up ADUC (the orange ADUC) and create the new user in AD. It'll then ask you to create the mailbox.

Exchange 2007:
Give the user Recipient Administrator permissions. This new group was created to prevent giving someone too many permissions with the Exchagne Administrator group. You can create a customized Exchange Management Console view in the MMC so a recipient administrator can only create and manage users in a specific OU. This complies with the Principle of Lease Priviledge and I would highly recommend only giving those users Recipient Administrator permissions and creating the customized MMC.