Hello, I am working in an environment where several divisions are sharing a Central Exchange 2007 server. The IT administrators for these divisions need to be able to administer mailboxes for the people in their division only, but none of the others. What I need to be able to do is assign permissions such that any mailboxes created in that particular database can be managed by that division's IT staff. what permissions do I need to set in AD and on the Exchange 2007 Server to facilitate this? I have done the following: - given each division their own database in Exchange -given each division their own OU in Active directory - assigned Exchange View Only Administrator rights to the Divisional IT staff I would like them to be able to perform the following tasks on their user's mailboxes - change mailbox permissions - modify aliases and email address properties - set forwarding options - edit user information - modify custom attributes - change group membership I would prefer (but do not require) that they are not able to: - create, delete, or move mailboxes. - override message size restrictions - override message delivery restrictions - enable\disable mailbox features (such as activesynch, pop/imap) - modify storage quota settings or records management

This *is* possible if you get VERY granular with the Active Directory permissions. However, Iurge you to think this through carefully before you do it. You are going to end up with a lot of custom permissions. As you start removing and adding individualpermissions you may get yourself in to an unsupported configuration. You are probably a LOT better off simply managing the users by OU rather than worrying about which database a user is located on.Create an OU administrator group that has permissions the required permissions based on OU membership. The permissions available to modify all of the e-mail attributes of a user account are actually Active Directory permissions. They have nothing to do with Exchange permissions. I thought this through just a bit and almost did not post this part of it. I'm not sure I know of an easy way to group people together based on the mailbox databasethey are on. You could kludge it with an EMS script that checks to see what database a user's mailbox is on and then automatically adds that user to a security group (plus, somehow removes the user from any other security groups that define a particular mailbox database the mailbox might have previously been located on. So, for example, you could have an AD security group called Marketing_E-Mail_UsersYou run a EMS script that enumerates all of the mailboxes on the MarketingMailboxes database and then adds the users to the Marketing_E-Mail_Users group.In Active Directory, you would need a group called something like Marketing_E-Mail_Managers. Then, you would need to run an EMS script that looked at the members of the Marketing_E-Mail_Users group and assign the Marketing_E-Mail_Managers group specific Active Directory rights to those users. See what I mean? My brain hurts from thinking it through. And that is not even the actual logic of the scripts that would be necessary. Again, I think you are better off to manage this by OU-level permissions and just make sure that the mailboxes are placed on the right databases. Jim McBee - Blog - http://mostlyexchange.blogspot.com

Ok, That is fine, we have set certain OU-level administrative permissions for the IT personnel, so it sounds like we are partially there. We are currently in a 2003 Active Directory Domain. Is it then safe to have these admins make mailbox related changes from 2003 ADUC, or will they have to use the exchange management console? Also, is there a reference somewhere of all the Exchange Attributes available in Active Directory and what features they actually pertain to, so we can customize the OU policy to best reflect our needs? thanks Christiaan

Hi Christiaan, I recommend that they make all of the changes via the Exchange Management Console rather than ADUC. "Some" things may work using the ADUC extensions, but I'm sure Microsoft would discourage their use in an E2K7 environment.One thing you could do to make things a bit simpler is to enable an OU filter in the Exchange Management Console (EMC). While you have the "Recipient Configuration" container highlighed, click the Modify Recipient Scope link in the Actions pane. From here, you can set the "starting" OU for the listing. When the user updates their recipient scope, the EMC will remember this the next time the user opens up the EMC. So, you could help the Marketing department admin view ONLY the Marketing Department mailboxes. That may make things a bit easier for them. JimJim McBee - Blog - http://mostlyexchange.blogspot.com