Delegate permissions to helpdesk administrators to change recipient's activesync policy
Hi There, From what I understand only Exchange Organization Administrators have permissions to change activesync policies. Which is fine at a global level but for some reason my helpdesk administrators (who are Recipient Administrators) cannot change the activesync policy for recipients from A to B. They always get the error "access to address list service on <server> was denied". I check the server and ensure the system attendant is started. I even restarted to check and still the error persist. Any help would be greatly appreciated. Thank you in advance.
July 19th, 2011 5:06am
Check this: http://technet.microsoft.com/en-us/library/aa996881(EXCHG.80).aspx Exchange Recipient Administrators Exchange Organization Administrators Exchange View-Only Administrators Full control of Exchange properties on Active Directory user object
July 19th, 2011 5:19am
Yes I am aware of the MS Article. None of which answer my question.
July 19th, 2011 5:24am
Hi, If you want your helpdesk(user or group) to change active sync policy for the ActiveSync Devices, you should assign the custom Management Role to the user or the Role Group. You need to do it thru RBAC role group. http://www.exchangedictionary.com/index.php/Articles/role-based-access-control-exchange-2010.html Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com
July 19th, 2011 7:42am
Hi ELoh, If you are running Exchange 2007 and want to change the activesync policy for users(or run the cmdlet Set-CasMailbox -ActiveSyncMailboxPolicy) , Exchange Recipient Adminstrator role also has the permission. Set-CASMailbox http://technet.microsoft.com/en-us/library/bb125264(EXCHG.80).aspx Please try to change the policy using EMS. And if the error still appears, please post the message here. Frank Wang
July 20th, 2011 4:25am
Hi Anil, Thanks for the information. Unfortunately we are using Exchange 2007.
July 20th, 2011 4:28am
Hi Frank, As per my initial note. Delegated users has Recipient Administrator permissions. Powershell is not currently an option as our helpdesk would not know how to use it correctly. NOTE: I have identify that this issue only occurs to some users and not others even though their AD security permissions are identical.
July 20th, 2011 4:30am
Hi Eloh, Do you mean helpdesk administrators can only modify some user's activesync policy, not all users? Please check whether there is any related error event in the Event Viewer. Please run the Exbpa to do a Permission Check. You can also try to run the setup /PrepareAD again. Frank Wang
July 21st, 2011 2:36am
In ADUC go to the root or OU, properties, security tab, click advanced tab, highlight the group edit, properties tab, make sure the group has read and write for msexchmobilemailboxpolicylink.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
July 21st, 2011 12:00pm
Thanks James, I will need to double check each line in the advanced tab. Does the Recipient Administrators group by default meant to have read / write access for mxexchangemobilemailboxpolicylink?
July 22nd, 2011 4:13am
I don't see it having that when I check, there's lots of things that recipient admins can't do by default such as hiding user from GAL.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
July 23rd, 2011 11:13am
Sorry but none of these are actual answers. They maybe work arounds but doesn't resolve the problem.
July 29th, 2011 4:04am
Unless you can tell me why i need to PrepareAD, there is no justification for doing so. EXBPA permission check return 100% without errors.
July 29th, 2011 4:05am