Child domain admins unable to create mailboxes Exch2007
I have an issue I just cannot seem to figure out. We have a root domain with many child domains. All exchange 2007 servers are installed within the root domain. Domain admins in the child domains have been given recipient administrator
rights. I have even gone into adsiedit and provided permissions on the mailbox stores themselves that these admins need to be able to create mailboxes in.
Every time they try, they receive the access to all exchange 2007 address lists denied. I've have researched this error and nothing seems to work.
Strange thing is, if they use ADUC to create the account, they are able to create the mailbox. Now of course they mailbox will not work propertly until I run the -applymanditory properties against it, but it doesn't really seem to be a permissions
issue writing to that store.
Has anyone else come across this and able to fix?
June 14th, 2010 5:42pm
Ok, I really need to start posting issues sooner because it never fails that after weeks of frustration, once I post, I figure something out. I'm sure this is not the correct way for this to work, but it worked for us so thought I'd share.
Not only did I have to put the domain admins groups for each child domain in the recipient administrators role, but the view-only also.
So here are the three steps I needed to make it work in my forest which is very large and complex:
1- add security group to recipient adminstrators role
2- add security group to view-only administrators role
3- use adsi edit to grant administor store permissions to that security group on the mailbox store for that domain
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2010 6:18pm
Very Good!
Thank you for your sharing!
Your expertise never fails to impress!
June 15th, 2010 9:53am