Required permissions for creating a new mailbox in Exchange 2007
We'd like to delegate the ability for a couple of users to create new mailboxes for users in AD on our Exchange 2007 mailbox server. Right now we've got the users in the Exchange Organization Administrators group but they receive an "insufficient rights" error while trying to create the mailboxes. Naturally, the operation succeeds for users in the Domain Admins group.KB316792 sounded somewhat promising with a link to "Working with Active Directory Permissions in Exchange Server 2003" white paper, but the download link just gets me to a Exchange 2003 Release Notes paper. Any ideas on the type of rights these users need and if the rights are given on the DCs or elsewhere in AD? Thanks!Jason
November 28th, 2007 8:55pm

Exchange recpient administrator role is required to mail enable an existing user account. To create a new account and mail enable it you'll have to have rights to create AD accounts in whichever OU's delegated along with the exchange recipient administrator role.
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2007 9:28pm

Thank you for the reply, Knightly. We do have the Exchange Organization Adminstrators as a member of the Exchange Recipient Adminstrator group so that's covered. The mailboxes attempting to be created are for (and will always be for) exisiting user objects--no new user objects will be created, just mailboxes for existing users. The OU where the user objects exist has been delegated rights for these administrators to modify user object properties...but as I type that maybe there's user object right that hasn't been delegated to the admins since this Exchange install is new and didn't exist when we did the delegation. I'll check into that...
November 28th, 2007 9:45pm

I am not sure if I understand your response regarding group membership. Is the person trying to create the mailbox a member of the Recipient Administrators Group. If so, did you prepare your domain correctly when you set up Exchange by using setup /Prepare/Domain in the domain where the user accounts reside?
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2007 10:38pm

Thanks Peter. Yes, by group membership nesting, the admins in question are members of the Recipient Administrators group. We did have Exchange 2000/03 in our environment so we did do the four domain preps before installing Exchange 2007:setup /PrepareLegacyExchangePermissionssetup /PrepareSchemasetup /PrepareADsetup /PrepareDomainJason
November 29th, 2007 12:22am

Do you have a multi domain environment. If so you need to run setup /PrepareDomain in the root and child domains. Very interested in this as I have a similar issue logged. I did not set up our environment but the guy who did swears everything was run OK. I am trying to establish if there are any issues with running /PrepareDomain again as it is this that permissions the domain for the new Recipient Administrators group in 2007. Setup /DomainPrep in 2003 seems to do nearly everything else required so may mark things if /PrepareDomain has not run correctly.
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2007 12:52am

We have a very simple architecture--Single forest, domain, site. We did not have any issues during the Exchange setup /domainprep. We did have an exisiting Exchange 2000 and then 2003 environment before moving to E2K7 and we haven't fully cleaned up AD after the removal of the E2k/2k3 machines but I don't believe that is an issue here. Thanks for the questions and suggestions.Jason
November 29th, 2007 1:02am

Out of interest, theway to check to see if/PrepareDomain has previosuly been run is to run up adsiedit, ensure you are in the domain of interest, navigate to Microsoft Exchange System Objects, right click, properties, find the objectVersion attribute. Should have a value of 10628.
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2007 2:52am

Thanks Peter. We do indeed have a version number of 10628 for the objectVersion value under Microsoft Exchange System Objects. This is a good tidbit to know. I've been doing some exploring and testing and still haven't resolved the issue as of yet. It doesn't seem that my query here would be all that unique. What do others do? Do most organizations have the domain admins serving as the exchange admins too? Or does it work in most environments to simply add the users to the Exchange Recipient Administrators group and then those folks can create mailboxes for exisiting user objects? I assume there are some OU delegation rights that need to be involved too? This must be documented somewhere. (I suspect some formal Exchange training would do me some good!) Jason
November 29th, 2007 8:01pm

I resolved my issue. It was a mesh of Exchange delegation, OU rights and local group membership on our mailbox server. In order for a user to be a "mailbox administrator" (herein called "MA") I had to do the following: Grant appropriate rights for the MA user account on the OU where the user accounts reside so that MA user account can read/write all user attributes. Use the Exchange Management Console to delegate the "Exchange Server Administrator" role to the MA user account for the mailbox server. This procedure is documented in this TechNet article. (http://technet.microsoft.com/en-us/library/bb331957.aspx) Add the MA user account to the local administrators group on the mailbox server cluster. What really bit us is that we have a very distributed OU administrator model and the rights for the MA user account to read/write user attributes on the OU where the user accounts reside wasn't delegated appropriately. Hope this helps someone. Jason (formerly kc5fxl)
Free Windows Admin Tool Kit Click here and download it now
November 30th, 2007 3:09am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics