Delegation to create mail-enabled users

  • Thread starter Thread starter GJB
  • Start date Start date
G

GJB

Hi,

I manage a central Exchange org with around 500 remote locations, which are
not part of the Exchange AD Forest.
The users log onto their own forest/domain and then either connect via OWA
or Outlook and authenticate with their exchange usernames/passwords when
they connect/are challenged.

Each location is an OU in the Exchange Forest/domain and has a superuser I
would like to delegate control to, so they could create users/mailboxes
just for their OU. If I use the delegate wizard to allow user creation in AD
, what would I need to do to allow the Exchange mailbox to be created? e.g
would they need explicit exchange permissions on the store ?

Regards,

GJB

PS Can anyone recommend a web based management tool (inexpensive) that would
allow the delegated users to do the above as they do not have access to ADUC
etc?
 
In actuality, just having permissions to create a user is more than
enough to mailbox or mail enable a user if you understand how the system
works. If you need to use the Exchange GUI or CDOEXM you would need to
add at least Exchange View access.

That being said, I do not recommend companies that are running Exchange
to allow this delegation as local site admins who probably aren't
supporting Exchange can really screw with Exchange by changing quotas
and what servers mailboxes are on, etc.

The best delegation tool I have seen for this is Quest's Active Roles
server. But it isn't inexpensive. You are talking about security and
stability of your infrastructure, cheap isn't usually not how you should
think about doing it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Back
Top