Need to support users over the internet? click here try our remote control online beta
Remote Support Software
Provide instant remote support to customers and employees:
Click here for a free trial
Provide instant remote support to customers and employees:
Click here for a free trial
Delegate Create & Delete Contact and Manage a Group
I am attempting to delegate control of a OU so that two users can create and delete contacts. I also want these two users to be able to manage a groups membership within the same OU. The group has already been created so the users only have to be able to add and remove members of that group. The catch is that this is all that I want them to be able to do. The second part of creating the contacts is that they need to be email enabled so emails can be sent to these contacts. I have been able to allow the users to create contacts but I am having trouble getting the permissions set for the email part. We have Windows 2003 with AD and MS Exchange 2003. If someone could provide the exact Exchange permissions that I need I would greatly appreciate it. The online information that I have been able to find is not that detailed on setting permissions for Exchange and only being able to setup emails for a contact.
Need to support users over the internet? click here try our remote control online beta
Need to support users over the internet? click here try our remote control online beta
March 6th, 2008 7:34pm
Delegating control of Contacts to non-admin users
Delegate the Exchange permissions
Create a security group that will contain the users that you want to delegate as Contact administrators. (eg. Grp_Contact_Admins)
On the Exchange Server, open the Exchange System Manager and expand Administrative Groups
Right-click on the Administrative group to be delegated and select Delegate control (Alternately, the control can be delegated from the Organization Level and would apply to all administrative groups in the organization.)
Add the required group created above with the Exchange View Only Administrator role.
Delegate the Active Directory permissions
On an exchange server, or a management workstation that has exchange admin tools installed, open Active Directory Users and Computers
As a best practice you should create a separate OU that will contain the contacts to be managed. Then right-click on the OU to be managed and select Delegate Control to start the wizard.
Users or Groups Add the security group you wish to delegate and click Next
Tasks to DelegateSelect Create a custom task to delegate and click Next
Active Directory Object Type Select Only the following objects in the folder. Select the objects Address type objects, Contact objects and Group objects. Also select the bottom two options to Create selected objects in this folder and Delete selected objects in this folder. and click Next.
Permissions select Full Control and click Next.
Click Finish
Workstation Requirements
The workstation to be used for contact administration requires the following additional software to be installed
Windows Server 2003 Administration Tools Pack (adminpak)
http://support.microsoft.com/kb/304718
Exchange System Management Tools
http://support.microsoft.com/kb/834121
Required Exchange Server Fixes
Exchange SP1 introduced more security that be default prevents non-admin users from remotely managing Exchange information. Refer to the MS knowledge base 905809 for the fix.
http://support.microsoft.com/?id=905809
Need to support users over the internet? click here try our remote control online beta
Delegate the Exchange permissions
Create a security group that will contain the users that you want to delegate as Contact administrators. (eg. Grp_Contact_Admins)
On the Exchange Server, open the Exchange System Manager and expand Administrative Groups
Right-click on the Administrative group to be delegated and select Delegate control (Alternately, the control can be delegated from the Organization Level and would apply to all administrative groups in the organization.)
Add the required group created above with the Exchange View Only Administrator role.
Delegate the Active Directory permissions
On an exchange server, or a management workstation that has exchange admin tools installed, open Active Directory Users and Computers
As a best practice you should create a separate OU that will contain the contacts to be managed. Then right-click on the OU to be managed and select Delegate Control to start the wizard.
Users or Groups Add the security group you wish to delegate and click Next
Tasks to DelegateSelect Create a custom task to delegate and click Next
Active Directory Object Type Select Only the following objects in the folder. Select the objects Address type objects, Contact objects and Group objects. Also select the bottom two options to Create selected objects in this folder and Delete selected objects in this folder. and click Next.
Permissions select Full Control and click Next.
Click Finish
Workstation Requirements
The workstation to be used for contact administration requires the following additional software to be installed
Windows Server 2003 Administration Tools Pack (adminpak)
http://support.microsoft.com/kb/304718
Exchange System Management Tools
http://support.microsoft.com/kb/834121
Required Exchange Server Fixes
Exchange SP1 introduced more security that be default prevents non-admin users from remotely managing Exchange information. Refer to the MS knowledge base 905809 for the fix.
http://support.microsoft.com/?id=905809
Need to support users over the internet? click here try our remote control online beta
May 9th, 2008 9:40pm
I've tried this and I am able to create a new contact within Active Directory but when attempting to create a New Mail Contact in the Exchange Console I receive the following error message;
Access to the address list service on all Exchange 2007 servers has been denied.
Are further permissions required to update the list service and if so what does this allow those users you wish to delegate this permission too access/do or brake?
Thanks
PLeathen
Need to support users over the internet? click here try our remote control online beta
Access to the address list service on all Exchange 2007 servers has been denied.
Are further permissions required to update the list service and if so what does this allow those users you wish to delegate this permission too access/do or brake?
Thanks
PLeathen
Need to support users over the internet? click here try our remote control online beta
December 8th, 2008 10:09pm
My experience has been with Exchange server 2003 and not 2007. It sounds to me as though it is the same issue that was outlined in the tech note I referenced in my first post...
http://support.microsoft.com/?id=905809By
default now, exchange server does not allow access to the service control manager (SCM) by non-administrators. You need to specifically grant permissions for non-admins. Teh above technote applies only to exchange 2003, but there must be a similar procedure for Exchange 2007. Perhaps the easiest way is to add your contact admin group to the local admin group on the exchange server.
There is an amazing pack of free network admin tools. click here to download it
http://support.microsoft.com/?id=905809By
default now, exchange server does not allow access to the service control manager (SCM) by non-administrators. You need to specifically grant permissions for non-admins. Teh above technote applies only to exchange 2003, but there must be a similar procedure for Exchange 2007. Perhaps the easiest way is to add your contact admin group to the local admin group on the exchange server.
There is an amazing pack of free network admin tools. click here to download it
December 9th, 2008 3:01am
This topic is archived. No further replies will be accepted.
Other recent topics
