Permissions - create mailbox but not view mailbox
Hi,
I'm in the process of designing AD/Exchange permissions for our help desk/account management folks. We have Exchange 2003 sp2 running with Active Directory - Server 2003 functional level. I have a 2-fold goal for our helpdesk/account management security profile:
1. They can create, rename, and delete mailboxes as part of the account management process.
2. They cannot view the contents of any mailbox.
I've tried adding the helpdesk security group to the standard builtin Account Operators AD group. This gives them the ability to create and otherwise manage AD user accounts, but not to create or modify mailboxes. I've also heard that these folks can be added to the Exchange View Only Administrators group, but I am concerned that this gives them the right to view the contents of mailboxes, which I do not want.
Does anyone have ideas about how to accomplish this security profile in AD/Exchange? I'm glad to do a little reading if someone has a favorite link for this kind of information. Thank you.
Robert S.
Portland, Oregon USA
August 1st, 2008 12:50am
Members of the Exchange View Only group cannot access mailbox contents themselves, in fact
you have to go out of your way to allow user accounts that type of access in Exchange 200x.
Here's some more details on how that works:
http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm
http://support.microsoft.com/kb/821897
Free Windows Admin Tool Kit Click here and download it now
August 1st, 2008 1:02am