User Permissions

billybob01billybob01 Member Posts: 504
This is really doing my head in. I need 4 people to be able to create user accounts, but when they try and create an account they cannot create a mailbox for the user!! I have tried delegating Exchange Administrative View Only permissions to the group they are in but still no joy!! What am i missing here??

Comments

  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Is this the same problem you posted here?

    http://www.techexams.net/forums/viewtopic.php?t=28453

    What versions of Windows and Exchange are you using?
    The only easy day was yesterday!
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    billybob01 wrote:
    This is really doing my head in. I need 4 people to be able to create user accounts, but when they try and create an account they cannot create a mailbox for the user!! I have tried delegating Exchange Administrative View Only permissions to the group they are in but still no joy!! What am i missing here??

    Aren't they going to need more rights than "view" to create mailboxes on the Exchange Server?
    All things are possible, only believe.
  • SieSie Member Posts: 1,195
    Im not up to speed with exchange but dont the users need more that View rights to create the mailboxs??.......
    Foolproof systems don't take into account the ingenuity of fools
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    They have to have Exchange Administrator I believe.

    EDIT: Not necessarily... if they have View only and read/write to the AD attributes listed in this Technet

    http://technet.microsoft.com/en-us/library/5c5ab164-536d-4d86-a529-f6a34ce1da1c.aspx
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
  • SieSie Member Posts: 1,195
    Dang you Mark finishing before me AGAIN. icon_lol.gif

    Maybe if I go to do my work here you'll have beaten me to it....... icon_wink.gif
    Foolproof systems don't take into account the ingenuity of fools
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    sprkymrk wrote:
    Aren't they going to need more rights than "view" to create mailboxes on the Exchange Server?

    That was my first reaction too, but if you follow the link from the other thread, that's all the page calls out for.

    http://technet.microsoft.com/en-us/library/bb124053.aspx
    technet wrote:
    What permissions do I need to be able to create and delete Exchange Server 2003 users?

    If you are responsible for both user and mailbox management, you need to have permissions to create a user object in Active Directory. For example, you could be a Domain Admin, Account Operator, or you might have delegated access to a specific organization unit. In addition, you need the following Exchange permission:

    * The Exchange View Only Administrator role to the administrative group where the target Exchange Server 2003 server exists.

    If you are responsible for mailbox-enabling users post-account creation, you can use a reduced set of permissions (in addition to the Exchange View Only Administrator).

    blargoe wrote:
    They have to have Exchange Administrator I believe.

    EDIT: Not necessarily... if they have View only and read/write to the AD attributes listed in this Technet

    Wouldn't the Exchange Administrator role be overkill for this task since that would give them much more control over the Exchange environment as well?
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Interesting... Anyone seen royal lately? He's the Exchange guru.

    @Sie
    All I can say is you must type reeeeeeeaaaaalllllyyyy slow for me to be able to beat you to the "post". icon_lol.gif
    All things are possible, only believe.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I also just noticed something else in the tech net quote - is mailbox "management" the same thing as "creation"?
    All things are possible, only believe.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Exchange 2003:
    Give a user Exchange Administrator permissions to the Administrative Group they need to create users.
    Have that user use the Exchange-Specific Management Tools to open up ADUC (the orange ADUC) and create the new user in AD. It'll then ask you to create the mailbox.

    Exchange 2007:
    Give the user Recipient Administrator permissions. This new group was created to prevent giving someone too many permissions with the Exchagne Administrator group. You can create a customized Exchange Management Console view in the MMC so a recipient administrator can only create and manage users in a specific OU. This complies with the Principle of Lease Priviledge and I would highly recommend only giving those users Recipient Administrator permissions and creating the customized MMC.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
Sign In or Register to comment.