Re: Delegate AD permissions to create a E2K mailbox

Welcome to the world of Exchange 2000 permissions The Microsoft answer on
the permissions required to create mailboxes is in KB 316792. However that
does not
cover property sets as mentioned below. The best documentation for
Property Sets is the Exchange 2000 Permissions Guide if you can find it (not
sure if
it ever got beyond v4.01). If you need to delete mailboxes or e-mail
addresses you *might*
need to be aware of KB 815439.


--
Lee Flight
University of Leicester

"Joe Richards [MVP]" <(E-Mail Removed)> wrote in message
news:uMbKd$(E-Mail Removed)...
> Umm that is a bit extreme...
>
> We just worked this out the other day with Alliance Premier and MCS.
>
> Off the top of my head to do a basic create mailbox on an existing Domain
User the easiest and least intrusive is the
> following:
>
> Public Information Property Set
> adminDisplayName
>
> Let that replicate and then if it doesn't work at that point add
>
> quotaNotificationSchedule
> quotaNotificationStyle
>
> Note those are not perms that are for user objects but someone screwed up
and you have to have them anyway unless you
> have FC of the user objects. So in order to assign those perms you have to
do it with a script or DSACL's. I think if I
> recall correctly they were only needed for delete though. Delete required
the most permissions. On top of the ones above
> it also required
>
> garbageCollPeriod
> publicDelegates
> displayName
>
>
> Moves only required 6 permissions. I think reconnects started working once
we got the adds working.
>
> I have seen MS docs that say you need ntSecurityDescriptor, you absolutely
DO NOT need that one and if you do give that
> one out, you might as well just give full control because allowing someone
to write that attribute you have given them
> full control.
>
> Mailbox delegation to allow help desk people to open other folks mailboxes
required mailbox full access on the STORE ACL
> for the mailbox. Depending on how they open the mailbox they may or may
not need sendas on the User Object. If they add
> the mailbox to outlook with an mailbox already open (i.e. additional
mailbox) they will need to have sendas on the
> additional user object to specify the FROM tab of the email. If they open
the one email mailbox directly via that
> mailbox being set as the primary for the profile, you do NOT need the
sendas permission.
>
> If you need a script to set the full mailbox access on the store object,
let me know, I wrote one last week once we
> figured out what was needed for that delegation. It will also just display
all store level ACE's on a mailbox as well.
>
> joe
>
>
> --
> Joe Richards
> www.joeware.net
>
> --
>
> "Marc Nivens [MSFT]" <(E-Mail Removed)> wrote in message
news:OeG$(E-Mail Removed)...
> > Domain Admins and Exchange Admin (use the delegation wizard in ESM for
the
> > second one).
> >
> > --
> > Marc Nivens
> > Enterprise Messaging Support
> >
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> >
> > "Marten" <(E-Mail Removed)> wrote in message
> > news:076901c33bd3$3cca8770$(E-Mail Removed)...
> > > Hi,
> > >
> > > What permissions do I need i AD to create a mailbox for
> > > Exchange 2000?
> > >
> > > /Marten
> >
> >
>
>