Active Directory Delegation Issue with Exchange Permissions
Hello everyone. I'm currently working on setting delegation up for members of IT, in order to pull back domain admin group memberships that were too freely distributed by previous IT administrations. As part of my testing, I've created an OU and set up the permissions to my liking there. However, I have run into one issue with Exchange. Currently, the test account has the following permissions on my test OU: - Create, delete, and manage user accounts - Modify the membership of a group I'm able to do anything I like with the test account, except change the SMTP address for a user account. When I go into the user Properties in ADUC, select the E-mail Addresses tab and highight an address, then click on Edit, I receive the following error: Microsoft Active Directory - Exchane Extension There is no such object on the server. Facility: Win32 ID no: c0072030 Microsoft Active Directory - Exchange Extension I also receive the same error if I try to create a new SMTP address for an account. Following this, as a test I delegated Exchange Administrator permissions at the top level in Exchange, using ESM, to my test account. This removes the error, but gives the user far more permissions than we would like them to have. Is there a simpler way to resolve this, or am I resigned to either letting them have the permissions in Exchange outlined above, or requiring them to come to a domain admin each time an email address needs to be changed?
September 26th, 2008 5:20pm
I was wondering if you are running Enterprise edition of Exchange? If you run Enterprise edition you could setup a separate storage group and then delegate control over that part for members of IT, instead of the entire Exchange Organisation.
__________________Selcuk AlgunMCSE+S+M
Free Windows Admin Tool Kit Click here and download it now
September 26th, 2008 5:49pm
Selcuk,
Thank you for your reply. We are running Exchange 2003,Standard Edition. I suppose I could delegate permissions further down within Exchange, say at the First Storage Group level. This would restrict them within Exchange a little more, but not much. I was hoping there was a simple way to give them the permissions to change SMTP addresses in AD without giving away the store (haha) on the Exchange side of things. Thoughts?
Thank you,
Jason
September 26th, 2008 6:06pm
Yes Jason, you can do it in AD, refer below guide for further information about permissions in AD for Exchange 2003
Working with Active Directory Permissions in Microsoft Exchange Server 2003http://www.microsoft.com/DownLoads/details.aspx?familyid=0954B157-5ADD-48B8-9657-B95AC5BFE0A2&displaylang=en
You need to run dsacls command something like below
Code Snippetdsacls "OU=YourOU,DC=YourDomain,DC=com" /I:S /G "Domain\User:RPWP;proxyAddresses;user"
How to Use DSACLS to Apply Permissionshttp://technet.microsoft.com/en-us/library/aa998151(EXCHG.65).aspx
Free Windows Admin Tool Kit Click here and download it now
September 26th, 2008 6:31pm
Looks like I have a little reading to do, thank you gentlemen. I'll respond after I've had a chance to review the documentation and test it out.
Thank you,
Jason
September 26th, 2008 6:41pm
So, it would appear that to me that to grant the permission to edit SMTP properties of a user or group toour technicians, I would need to do the following:
dsacls "OU=UsersContainer,DC=ourcompany,DC=com" /I: S /G
"ourcompany\techs:RPWP;proxyAddresses;user"
"ourcompany\techs:RPWP;proxyAddresses;group"
My next question is, would these permissions show up in the Security tab under Advanced when I look at the OU?
Thanks,
Jason
Free Windows Admin Tool Kit Click here and download it now
September 26th, 2008 8:32pm
So, I ran the command as shown above, but this did not resolve the error I'm seeing when my test account attempts to change an email address in AD for a user. Perhaps I'm entering this information incorrectly?
Thanks,
Jason
September 26th, 2008 8:48pm
Hi Kezzran
I saw youve given TestAdmin Create, delete, and manage user accounts, you actually just need to add View Only Administrators to TestAdmin in ESM. Then theyll be able to modify the address. Its working in my testing
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2008 9:32am
James,
Awesome, thank you for the information. I didn't even think to test that, as it seemed it would not grant the necessary permissions. I'll test this tomorrow and let you know if this provides a resolution for us.
Thanks,Jason
September 29th, 2008 11:34pm
James,
Your suggestion was the resolution I was looking for. You are the man!
Thank You,
Jason
September 30th, 2008 9:59pm