Split Permissions model for Exchange 2007
HelloThere is an article here on how to assign Exchange permissions per OU in Exchange 2007, now that Admin Groups have been removed from Exchange 2007. In our organisation, providing all Helpdesk staff the ability to modify Exchange attributes on all user objects in the domain is not suitable.http://technet.microsoft.com/en-us/library/bb232100%28EXCHG.80%29.aspxI was looking at the section entitled, "How to use the Exchange Management Shell to assign permissions". Within this, there are two steps that I don't understand:a) Run the following command to grant the OU1AdminGroup security group extended right to access the Recipient Update Service.Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "Contoso\OU1AdminGroup " -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType Descendentsb) Run the following commands to grant OU1AdminGroup security group the ability to update the address lists and e-mail address policies.Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\OU1AdminGroup" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlagsAdd-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\OU1AdminGroup" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlagsWhere OU1AdminGroup is the Helpdesk group for OU1.I'm not sure what those commands exactly do? Do they provide OU1AdminGroup with the ability to amend the RUS/Email Address Policies, or just use them to create new mailboxes? Could anyone clarify?Thanks in advance.
December 30th, 2009 10:12pm
Per the article:This extended right is required because in Exchange 2007, the address-related information is stamped on the recipient during the provisioning process.So these rights are needed to allow management of the mail-enabled objects.Management and modification of Address Lists require Exchange Organization permissions.
Free Windows Admin Tool Kit Click here and download it now
December 30th, 2009 10:32pm
Hi Andy,Thanks, there is the following explanation I have copied below:
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can execute the Update-AddressList cmdlet.
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container within the Exchange organization. These permissions are required so the recipient administrator can execute the Update-EmailAddressPolicy cmdlet.
The Access Recipient Update Service extended right on the Exchange 2007 administrative group. This extended right is required because in Exchange 2007, the address-related information is stamped on the recipient during the provisioning process.
So does this mean that the commands I specified above are just to help with the creation of mailboxes, they are not so that a member of the OU1AdminGroup can actually *change* either the RUS or Email Address Policies themselves? In which case, I'm still unsure, what exactly does Update-EmailAddressPolicy mean, does it mean to update the mailbox with the Email Address Policy, or change the Email Address Policy itself?
Also, I thought RUS was gone in Exchange 2007?
December 30th, 2009 10:38pm
RUS is gone as a mystery background service but the same logic still exists- the difference being that it is enforced on an account everytime a change is made to it by an Exchange 2007 cmdlet. http://msexchangeteam.com/archive/2006/10/02/429053.aspx sort of explains it. As I understand it, the permissions you a granting don't let those "delegated IT" update the policies themselves, but rather just let them make the required changes to mailboxes. I'll admit I haven't really tested that, but even if I'm wrong I don't think there's any getting around it either. At the end of the day Exchange 2007 permissions are limited to read/write on various entities in Active Directory, but Exchange 2010 is supposed to be way better as far as role-based administration goes.
Free Windows Admin Tool Kit Click here and download it now
December 31st, 2009 6:20am