Minimum permissions to create mailboxes, multiple domains



I have a single forest with 2 domains, DomainA and DomainB. There is a
single Exchange 2003 server in DomainA, that is hosting mailboxes for users
in both domains - and We have the following

1) DomainA admins need full access to everything in DomainB
2) DomainB admins should have full access to everything in DomainB
3) DomainB admins should NOT have access to anything in DomainA, except
their Exchange mailboxes

I set these domains up as separate domain trees, domaina.local and
domainb.local. Everything seems to be working the way I would like it to,
except for 1 small thing: when DomainB admins create users within their
domain, they have the chance to create a mailbox as part of the process, and
choose the "Alias" and "Server:". However, they cannot finish, because the
"Mailbox Store:" dropdown box that is part of the wizard is empty. I'm sure
this is a security issue.

What is the minimum permissions I must grant to DomainB admins to allow them
to create a mailbox as part of the process of setting up a new user? If I am
able to give them this access, what else will they then have access to?

Jan Englund

Sounds like you forgot the delegate Exchange view only admin access to the

Best Regards
Jan Englund
Capgemini Sweden
MCSA 2000/2003, MCSE NT4/2000/2003
MCSA 2000/2003:Messaging MCSE2000:Messaging


Well, I didn't forget - but I didn't do it yet either. Is that what I need
to give them? If I do that, what else will the DomainB admins then be able
to do?

Jan Englund

Yes correct inorder to view the different stores they need to be delegated
Exchange view only admin.
It will give them the possibility of viewing exchange settings and also be
able to create mailboxes

See the following KB
Best Regards
Jan Englund
Capgemini Sweden
MCSA 2000/2003, MCSE NT4/2000/2003
MCSA 2000/2003:Messaging MCSE2000/2003:Messaging

Chriss3 [MVP]

Hello Steel,

The exactly permission tomailboxe enable users is the follow as well
Exchange View Only rights to be availbel to browse Storage Groups in the
creation wizard.

There is a grate documentation about Exchange Delegation, FYI:

Read and Write Permission to the follow attributes,
· adminDisplayName

· autoReplyMessage (ILS Settings)

· displayName (Display Name)

· dLMemDefault

· homeMDB (Exchange Mailbox Store)

· homeMTA

· legacyExchangeDN

· mail (E-Mail Address)

· mailNickname (Alias)

· mAPIRecipient

· mDBUseDefaults

· msExchADCGlobalNames

· msExchControllingZone

· msExchFBURL

· msExchHideFromAddressLists

· msExchHomeServerName (Exchange Home Server)

· msExchMailboxGuid

· msExchMailboxSecurityDescriptor

· msExchPoliciesExcluded

· msExchPoliciesIncluded

· msExchResourceGUID

· msExchUserAccountControl

· proxyAddresses (Proxy Addresses)

· showInAddressBook

· targetAddress

· textEncodedORAddress

Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question