Restricting Delegate Admin Access to Databases in Exchange 2007
After an exhaustive past couple days of searching, I have been really unable to find an answer to my solution. We have an Exchange 2007 Environment and we are looking to start delegating mailbox administration to our sites. We have no problem doing that by adding them as Recipient Administrators, but what we would like to do is restrict where they can create mailboxes. We have 2 mailbox servers with about 10 databases on each on their own disks. We would like to allow admins to create any new mailboxes on server SERVER1 to DATABASE1-1 and nowhere else. From where, our team will delegate where mailboxes are to be moved. Right now we have about 6500 mailboxes scattered over a number of databases with unfortunately, no logical organization. I tried testing some permissions with ADSI Edit but without the admins being a local admin on the mailbox server, I constantly ran into insufficient permission errors. We are hoping to adopt this model to prevent Recipient Administrators from creating mailboxes on random databases and accidentally filling up the disk. If possible, it would be a bonus so that they only see the 1 database displayed when creating the mailbox. Thanks for taking the time to read this! Jason
July 20th, 2011 11:22am

Answer in previous thread below: Example New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"} New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" -SecurityGroup "Explorers" –CustomConfigWriteScope “Databases_ManagmentScope” RBAC - How to restrict User to create users in specific DB? http://social.technet.microsoft.com/Forums/en/exchangesvradmin/thread/e11036d9-9749-466e-8626-bc47307c8fc9James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2011 11:30am

Oops you're on 2007, there is no friendly way to accomplish this with 2007, it'll go along the lines of denying the delegated user\group rights on the DB or storage group level using adsiedit. I would start with denying read and view information store status.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
July 20th, 2011 11:36am

That worked perfect for me, thanks! I think I was trying to be too granular prior looking at the 100's of security properties. Much obliged. Jason
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2011 1:21pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics