Minimum permissions to create mailboxes, multiple domains

S

Steele

I have a single forest with 2 domains, DomainA and DomainB. There is a
single Exchange 2003 server in DomainA, that is hosting mailboxes for users
in both domains - domaina.com and domainb.com. We have the following
requirements:

1) DomainA admins need full access to everything in DomainB
2) DomainB admins should have full access to everything in DomainB
3) DomainB admins should NOT have access to anything in DomainA, except
their Exchange mailboxes

I set these domains up as separate domain trees, domaina.local and
domainb.local. Everything seems to be working the way I would like it to,
except for 1 small thing: when DomainB admins create users within their
domain, they have the chance to create a mailbox as part of the process, and
choose the "Alias" and "Server:". However, they cannot finish, because the
"Mailbox Store:" dropdown box that is part of the wizard is empty. I'm sure
this is a security issue.

What is the minimum permissions I must grant to DomainB admins to allow them
to create a mailbox as part of the process of setting up a new user? If I am
able to give them this access, what else will they then have access to?
 
J

Jan Englund

Hi
Sounds like you forgot the delegate Exchange view only admin access to the
DomainBadmins?

--
Best Regards
Jan Englund
Capgemini Sweden
MCSA 2000/2003, MCSE NT4/2000/2003
MCSA 2000/2003:Messaging MCSE2000:Messaging
www.se.capgemini.com
 
S

Steele

Well, I didn't forget - but I didn't do it yet either. Is that what I need
to give them? If I do that, what else will the DomainB admins then be able
to do?
 
J

Jan Englund

Yes correct inorder to view the different stores they need to be delegated
Exchange view only admin.
It will give them the possibility of viewing exchange settings and also be
able to create mailboxes

See the following KB
http://support.microsoft.com/kb/316792
--
Best Regards
Jan Englund
Capgemini Sweden
MCSA 2000/2003, MCSE NT4/2000/2003
MCSA 2000/2003:Messaging MCSE2000/2003:Messaging
www.se.capgemini.com
 
C

Chriss3 [MVP]

Hello Steel,

The exactly permission tomailboxe enable users is the follow as well
Exchange View Only rights to be availbel to browse Storage Groups in the
creation wizard.

There is a grate documentation about Exchange Delegation, FYI:
http://www.microsoft.com/downloads/...57-5add-48b8-9657-b95ac5bfe0a2&DisplayLang=en

Read and Write Permission to the follow attributes,
· adminDisplayName

· autoReplyMessage (ILS Settings)

· displayName (Display Name)

· dLMemDefault

· homeMDB (Exchange Mailbox Store)

· homeMTA

· legacyExchangeDN

· mail (E-Mail Address)

· mailNickname (Alias)

· mAPIRecipient

· mDBUseDefaults

· msExchADCGlobalNames

· msExchControllingZone

· msExchFBURL

· msExchHideFromAddressLists

· msExchHomeServerName (Exchange Home Server)

· msExchMailboxGuid

· msExchMailboxSecurityDescriptor

· msExchPoliciesExcluded

· msExchPoliciesIncluded

· msExchResourceGUID

· msExchUserAccountControl

· proxyAddresses (Proxy Addresses)

· showInAddressBook

· targetAddress

· textEncodedORAddress




--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services



No email replies please - reply in the newsgroup
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Can active directory have 2 domains? 1
2 domains structure 6
Merge two active directory domains 4
Exchange 2K3 and AD Split 7
Trust between 2000 and 2003 domain 19
New root level or new forest domain, same gateway 5
Change domain names 4
Two domain accounts pointing to same profile folder 1

Top