Exchange 2007: Delegate rights to create Mailbox/User
Hi NG!
Regarding MS technet the following rights are needed to create mailboxes and user accounts in AD when delegating rights:
If you are responsible for both user and mailbox management, you must have permissions to create and manage recipient objects in Active Directory. For example, you could be a Domain Admin or Account Operator, or you might have delegated access to a specific organizational unit. Be aware that members of child-domain privileged accounts must also have the Exchange View-Only Administrator role to manage the mail-related properties from the Exchange Management Console and Exchange Management Shell.
I've created test accounts in our testlab which have rights to create users and have view rights in Exchange (Exchange View-Only Administrator)
When I now try to create a new mailbox and user account in AD I get the following error from Exchange Management Console:
Access tothe address list service on all Exchange 2007 servers has been denied.
Any idea how to solve that or to give rights to the address list service?!?
Thanks!!!
May 31st, 2007 5:01pm
I've found that i have to give exchange recipient administrator rights and account operator rights in AD in order to delegate this control. Maybe i'm giving up a little too much, but its working well.
Free Windows Admin Tool Kit Click here and download it now
May 31st, 2007 7:42pm
knightly wrote:
I've found that i have to give exchange recipient administrator rights and account operator rights in AD in order to delegate this control. Maybe i'm giving up a little too much, but its working well.
This is the easiest way to do it, however if you wanted to be more restrictive you could delegate privilages to a specific OU (so they could not manage other accounts).
Erik
June 1st, 2007 3:03am
That's what I wanted to avoid because account/user management is done by our central Helpdesk and they just should have the permission to create an account and the dedicated mailbox!
Any other ideas???!?!???
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2007 3:52pm
To do any recipient managment in the Exchange 2007 console you must at least be a member of the Exchange Recipient Administrator role. This however will give modify pemission to all Exchange properties to all recipient objects. The workaround is to use ADUC with the modify permissions set on the container and not grant the Exchange Recipient Administrator role permission. (there could be another work around to use EMC but not sure. It has to be something minor like a read permission somewhere.)
In order to create/delete recipients you will need those additional permission in the AD container.
September 17th, 2008 5:18pm
Hi,
Iam also facing the same issue. I have also verified the following things:
My Exchange Server is a member of Exchange Servers.
Microsoft Exchange System Attendent service is running.
Could anyone put some more focus on the additional permissions required to Create/Delete recipients ?
Thanks in Advance.
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2009 12:11pm
Hello ,
right now i solve similar problem with permission for regional admin . I need give him permission for create and delete users and mailboxes for regional DB. I set it across ADSIEDIT.MSC but .... I did give full per. on Storage Group for their region but
when i want to create mailbox i have got error" Access to the address list service on All exchange 2007 servers has been denied. Have you resoled your problem with permisssions ?
Thanks for answer
mArwin
October 20th, 2010 10:08am