appropriate delegations, receiving Access Denied to GAL when mail-enabling Security Groups
Exchange 2007 SP1Server 2008Native 2008 domainExchange server is a GCThe user in question has been added to the Account Operators group in AD DS, and has been delegated the Recipient Administrator rights within the EMC. The procedure given to the user follows the guidelines set forth at:http://technet.microsoft.com/en-us/library/bb123805.aspx.When mail-enabling the Universal Security Group, the operation fails with the error:'Access to address list service on all Exchange 2007 servers has been denied'.The user can have access to any OU in the domain with regards to creating the groups, so granularity is not as important as functionality. Is there anything to short of making the user a Server Administrator (Exchange) that can be done?
March 18th, 2009 7:06pm

You might try implementing a split permissions model to allow the user to access "server administrator" level functions without granting them that role. Planning and Implementing a Split Permissions Modelhttp://technet.microsoft.com/en-us/library/bb232100.aspx Permission Considerationshttp://technet.microsoft.com/en-us/library/aa996881.aspx
Free Windows Admin Tool Kit Click here and download it now
March 18th, 2009 11:55pm

I attempted to execute the split permissions implementation, but when I get to step 4, I do not have the OU structure described in the article. I do not have the Microsoft Exchange, Services, or Configuration containers, even with the Advanced view on. Even with steps 1-3 completed, the user can not mail-enable AD DS security groups. Making the user a member of the Exchange Server Administrators group DOES allow them to perform this function, even though theyare NOT administrators on the server or domain?!? Also, I gave the user's account membership in the Exchange View-Only Administrators group, and this did NOT work.So as it is, the user is a member of the Account Operators group in AD DS, andis also a member ofthe Exchange Server Administrators group, and is able to mail-enable AD DS security groups. This of course grants the user more permissions than they should have, and is a problem.
March 19th, 2009 3:48pm

Hi,Did you try another user on this issue? Please first check whether any error message come up in the event log. Whether your exchange server is a member of Exchange Servers group. Verify that Microsoft System Attendant service is running.Please run get-exchangeadministrator -identity "username" |fl command in EMS, then post the information on the forum, let me check the permission of the user that has been delegated.ThanksAllen
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2009 12:17pm

Hi Allen,Here are the results:Identity : BEV-GRANT.com/Users - BG/Staff/Jordan MckelvyScope : Organization wideRole : ViewOnlyAdmin Identity : BEV-GRANT.com/Users - BG/Staff/Jordan MckelvyScope : BG-EXCHANGE07Role : ServerAdminIn order to get it to work, I had to delegate her the Exchange Server Admin Role. If that role is removed, she can not mail enable the AD DS security groups, even though other delegations have been performed as noted above. Thanks for your help!
April 3rd, 2009 7:23pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics