Delegate AD Permission without specific Exchange Rights
Hello,
i don't know if this is the right place to ask but i'll have a try.
At a customer we need to enable the Helpdesk to manage the User Accountsexcept:
Mailboxrights
EmailAdresses
Email Address Field in the General Tab
Disable/enable the Recipient Policy
Mailbox Quotas
ILS-Settings (optional)
We tried to give them read/write all properties and then take away the rights they shouldn't get.
But that only worked for the quotas as it seems that they kept some of the rights through the "Property Sets" like "Personal Information" etc.
Also if i remove only one Write it warns me that more than 200 ACEs will be created which will slow performance.
So is there a way to accomplish that without "trial and error" removal of the property sets one by one and without the resulting 200 ACEs?
It would be ok if they can't do anything Exchange related.
Active Directory on W2003 SP2 and Exchange 2003 SP2
Thanks in advance
Thorsten
March 12th, 2008 11:20am
Hi,
Create an Security group that you will use to give the users permissions.
use the delegate wizard in Active directory Users and Computers. Give only the required permissions using the wizard.
And maybe afterwards use the security tab to rmove certain permissions.
Regards,
Alan
Free Windows Admin Tool Kit Click here and download it now
March 12th, 2008 12:34pm