Delegate Create & Delete Contact and Manage a Group
I am attempting to delegate control of a OU so that two users can create and delete contacts. I also want these two users to be able to manage a groups membership within the same OU. The group has already been created so the users only have to be able to add and remove members of that group. The catch is that this is all that I want them to be able to do. The second part of creating the contacts is that they need to be email enabled so emails can be sent to these contacts. I have been able to allow the users to create contacts but I am having trouble getting the permissions set for the email part. We have Windows 2003 with AD and MS Exchange 2003. If someone could provide the exact Exchange permissions that I need I would greatly appreciate it. The online information that I have been able to find is not that detailed on setting permissions for Exchange and only being able to setup emails for a contact.
March 6th, 2008 10:34pm
Delegating control of Contacts to non-admin users Delegate the Exchange permissions Create a security group that will contain the users that you want to delegate as Contact administrators. (eg. Grp_Contact_Admins) On the Exchange Server, open the Exchange System Manager and expand Administrative Groups Right-click on the Administrative group to be delegated and select Delegate control (Alternately, the control can be delegated from the Organization Level and would apply to all administrative groups in the organization.) Add the required group created above with the Exchange View Only Administrator role. Delegate the Active Directory permissions On an exchange server, or a management workstation that has exchange admin tools installed, open Active Directory Users and Computers As a best practice you should create a separate OU that will contain the contacts to be managed. Then right-click on the OU to be managed and select Delegate Control to start the wizard. Users or Groups Add the security group you wish to delegate and click Next Tasks to DelegateSelect Create a custom task to delegate and click Next Active Directory Object Type Select Only the following objects in the folder. Select the objects Address type objects, Contact objects and Group objects. Also select the bottom two options to Create selected objects in this folder and Delete selected objects in this folder. and click Next. Permissions select Full Control and click Next. Click Finish Workstation Requirements The workstation to be used for contact administration requires the following additional software to be installed Windows Server 2003 Administration Tools Pack (adminpak) http://support.microsoft.com/kb/304718 Exchange System Management Tools http://support.microsoft.com/kb/834121 Required Exchange Server Fixes Exchange SP1 introduced more security that be default prevents non-admin users from remotely managing Exchange information. Refer to the MS knowledge base 905809 for the fix. http://support.microsoft.com/?id=905809
May 10th, 2008 12:40am
I've tried this and I am able to create a new contact within Active Directory but when attempting to create a New Mail Contact in the Exchange Console I receive the following error message; Access to the address list service on all Exchange 2007 servers has been denied. Are further permissions required to update the list service and if so what does this allow those users you wish to delegate this permission too access/do or brake? Thanks PLeathen
December 9th, 2008 1:09am
My experience has been with Exchange server 2003 and not 2007. It sounds to me as though it is the same issue that was outlined in the tech note I referenced in my first post...http://support.microsoft.com/?id=905809By default now, exchange server does not allow access to the service control manager (SCM) by non-administrators. You need to specifically grant permissions for non-admins. Teh above technote applies only to exchange 2003, but there must be a similar procedure for Exchange 2007. Perhaps the easiest way is to add your contact admin group to the local admin group on the exchange server.
December 9th, 2008 6:01am