Re: Delegate AD permissions to create a E2K mailbox

Discussion in 'Microsoft Windows 2000 Active Directory' started by Lee Flight, Jun 30, 2003.

  1. Lee Flight

    Lee Flight Guest

    Welcome to the world of Exchange 2000 permissions :) The Microsoft answer on
    the permissions required to create mailboxes is in KB 316792. However that
    does not
    cover property sets as mentioned below. The best documentation for
    Property Sets is the Exchange 2000 Permissions Guide if you can find it (not
    sure if
    it ever got beyond v4.01). If you need to delete mailboxes or e-mail
    addresses you *might*
    need to be aware of KB 815439.

    Lee Flight
    University of Leicester

    "Joe Richards [MVP]" <> wrote in message
    > Umm that is a bit extreme...
    > We just worked this out the other day with Alliance Premier and MCS.
    > Off the top of my head to do a basic create mailbox on an existing Domain

    User the easiest and least intrusive is the
    > following:
    > Public Information Property Set
    > adminDisplayName
    > Let that replicate and then if it doesn't work at that point add
    > quotaNotificationSchedule
    > quotaNotificationStyle
    > Note those are not perms that are for user objects but someone screwed up

    and you have to have them anyway unless you
    > have FC of the user objects. So in order to assign those perms you have to

    do it with a script or DSACL's. I think if I
    > recall correctly they were only needed for delete though. Delete required

    the most permissions. On top of the ones above
    > it also required
    > garbageCollPeriod
    > publicDelegates
    > displayName
    > Moves only required 6 permissions. I think reconnects started working once

    we got the adds working.
    > I have seen MS docs that say you need ntSecurityDescriptor, you absolutely

    DO NOT need that one and if you do give that
    > one out, you might as well just give full control because allowing someone

    to write that attribute you have given them
    > full control.
    > Mailbox delegation to allow help desk people to open other folks mailboxes

    required mailbox full access on the STORE ACL
    > for the mailbox. Depending on how they open the mailbox they may or may

    not need sendas on the User Object. If they add
    > the mailbox to outlook with an mailbox already open (i.e. additional

    mailbox) they will need to have sendas on the
    > additional user object to specify the FROM tab of the email. If they open

    the one email mailbox directly via that
    > mailbox being set as the primary for the profile, you do NOT need the

    sendas permission.
    > If you need a script to set the full mailbox access on the store object,

    let me know, I wrote one last week once we
    > figured out what was needed for that delegation. It will also just display

    all store level ACE's on a mailbox as well.
    > joe
    > --
    > Joe Richards
    > --
    > "Marc Nivens [MSFT]" <> wrote in message

    > > Domain Admins and Exchange Admin (use the delegation wizard in ESM for

    > > second one).
    > >
    > > --
    > > Marc Nivens
    > > Enterprise Messaging Support
    > >
    > > This posting is provided "AS IS" with no warranties, and confers no

    > > Use of included script samples are subject to the terms specified at
    > >
    > >
    > >
    > > "Marten" <> wrote in message
    > > news:076901c33bd3$3cca8770$...
    > > > Hi,
    > > >
    > > > What permissions do I need i AD to create a mailbox for
    > > > Exchange 2000?
    > > >
    > > > /Marten

    > >
    > >

    Lee Flight, Jun 30, 2003
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AJD

    Migrating to E2K

    AJD, Jul 30, 2003, in forum: Microsoft Windows 2000 Active Directory
    Matjaz Ladava [MVP]
    Jul 30, 2003
  2. RDH

    Delegate Permissions on OU

    RDH, Dec 23, 2003, in forum: Microsoft Windows 2000 Active Directory
    Richard Harlan
    Jan 7, 2004
  3. Pat

    AD Demote on E2K

    Pat, Mar 2, 2004, in forum: Microsoft Windows 2000 Active Directory
    Ace Fekay [MVP]
    Mar 3, 2004
  4. Scallica

    Permissions Error during E2K Removal

    Scallica, Jun 4, 2004, in forum: Microsoft Windows 2000 Active Directory
    Jun 4, 2004
  5. Guest

    Delegate Mailbox Rights

    Guest, Apr 30, 2005, in forum: Microsoft Windows 2000 Active Directory
    Joe Richards [MVP]
    May 2, 2005