Recipient Admin Permissions in Exchange 2007
Question: HiWe are migrating from Exchange 2003 to Exchange 2007.We have several domains in our AD: ny.company.com, la.company.com, uk.company.com and sa.company.comEach domain is also an Administrative Group in Exchange 2003.This way, Exch/AD admins in each region have control of their own user accounts/mailboxes.But: Exchange 2007 does away with Administrative Groups!The problem is for the junior admins who we don't want to give Exchange Server admin rights, but still want to be able to amend Exchange 2007 mailboxes, but only in their region.So, the question is: if we give them all Exchange 2007 Recipient Admin rights, will they be able to make changes to the mailbox properties of mailboxes outside their home domain? They have AD rights on the OU's that contain these mailboxes.For example:NY users are held in an OU named "NY Office1" OU in the ny.company.com domain. The junior admins have been delegated rights on this OU.We need them to be able to amend mailbox properties for the NY users mailboxes once they are on Exchange 2007. So, our solution was to add the Junior Admins in NY to the Recipient Admins group of Exchange 2007. However, will this also give them permission to amend the mailbox properties of mailboxes in LA? Even though they hadn't been delegated rights on the LA User OU's?The reason I ask is that we thought we could do without giving the junior admins Recipient Admin rights as per here:http://technet.microsoft.com/en-us/library/bb232100.aspxHowever, they can't move mailboxes nor create them [the error message is ACCESS TO THE ADDRESS LIST SERVICE ON ALL EXCHANGE 2007 SERVERS HAD BEEN DENIED]*confused*
December 1st, 2009 10:54pm
So, the question is: if we give them all Exchange 2007 Recipient Admin rights, will they be able to make changes to the mailbox properties of mailboxes outside their home domain?
Yes.The long and short of it is that this type of management (per admin group) is very hard to do in Exchange 2007. 2010 actually makes it easier if this is an option. Otherwise you have to do a lot of manual permission adjustment for the various tasks required by your organization. I'm not sure this is comprehensivly documented in any one place, but rather as a reference for a given task.
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2009 1:28am
another option would be something like HMC where each domain is a "customer" but if you need this, really this is a huge focal point of 2010.
December 3rd, 2009 1:30am