locked
Exchange 2007 customize permission for Exchange administrator RRS feed

  • Question

  • Hi Guys,

    I have received a very wierd request that would like to assign exchange 2007 permission in to following way.

    Number of exchange server in organization :-
    Location A
    1 Cluster mailbox server
    2 CAS/HUB server

    Location B
    1 Cluster mailbox server
    2 CAS/HUB server

    Each location will have their Local IT administrator, but they will only allow to do the following within their location exchange server.

    Recipient configuration :-
    mailbox -> allow Read & Delete, not allow create or modify
    mailcontact ->allow Read & Delete, not allow create or modify

    Please advise and suggest a way to split up the permission like this in exchange 2007 server?

    Many thanks and appreciates any feedback...
    Thursday, August 6, 2009 6:02 AM

Answers

  • What i done of exchange permission to meet up the requirement of without granting exchange server admin permission to local IT who cant have create or modify permission, but they allow to remove and read permission.. I assigned exchange view-only permission in exchange permission level, and restricted local IT user account in active directory OU level by assign them to have full delegation within, hence the local IT is able to remove mailbox from exchange server but not create since it has only "view-only" permission in exchange server.

    • Marked as answer by listlow Thursday, August 13, 2009 3:37 PM
    Thursday, August 13, 2009 3:37 PM

All replies

  • Take a look at below couple of articles on planning split permissions. However allowing to delete objects will indirectly gives creation or modification rights also so that you need to plan accordingly by redirecting deletion requests to org admin or something similar...

    Planning and Implementing a Split Permissions Model

    Split Permissions Model Reference

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com RSS

    Thursday, August 6, 2009 6:22 AM
  • I have been reading these page.. it is quite confusing, and that did not include the way of delete permission of mailbox or mail contact.. i understand that by allowing delete object, certainly create and modify is granted as well... maybe for create we will deny it from create object in exchange or AD.. so even thought it has got create right, they cant create the mailbox too.. can it be done?

    where can i have the full list of permission and description for exchange 2007?

    Thursday, August 6, 2009 6:29 AM
  • Hi,

    Please do look at http://technet.microsoft.com/en-us/library/bb310792.aspx and http://technet.microsoft.com/en-us/library/bb310770.aspx. These should give you a good idea along with other links provided by Amit.
    Nitin Gupta (gupnit) | MVP - Exchange | http://www.nitingupta.in/blogs
    • Proposed as answer by Xiu Zhang Friday, August 7, 2009 8:35 AM
    Thursday, August 6, 2009 7:05 AM
  • If i want to grant create mailbox permission for exchange on location A, but deny access on exchange location B.. how is the permission like?

    Thursday, August 6, 2009 8:10 AM
  • Second link bb310770 provided by Nitin gives you fair idea on what permissions Exchange give and on which container of AD Database during setup but those have granularity of 4 different Exchange security admin groups available in permission model.

    So what you are looking for might not be tested and supported scenario by Microsoft in Exchange 2007. You may need to sit with your AD Admin to give granularity level permissions and need to test it in lab environment before putting into production with POC to know how EMC/EMS behaves when Location Local IT Admins try to create, delete and modify the mailboxes and contacts.

    This will be quite easy in Exchange 2010 with new permission model, RBAC in which we can give granularity level permission on Exchange cmdlets and even parameters of cmdlet to end-users, this information is stored into AD Configuration partition and whenever end-user loads EMC/EMS in Exchange 2010, remote powershell checks the RBAC and loads the necessary cmdlets and configuration only into server and local powershell sessions. So in that you will be able to give permission to Local IT Admin to run Get-* or Remove-* cmdlets but not New-* or Set-* cmdlets... 

    But you need to wait for Exchange 2010 to be released... :)

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com RSS

    • Proposed as answer by Xiu Zhang Friday, August 7, 2009 8:35 AM
    Thursday, August 6, 2009 8:17 AM
  • Since split permission model works on AD object level, you may need to seperate the users of two different location to their indivudial OU and give permissions to local admin on their respective location OU...

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com RSS

    Thursday, August 6, 2009 8:21 AM
  • cool, that is the wonderful of exhange 2010.. :)

    i digesting the page given.. it will take while to blend into what I am looking at.. as i noticed, there are many type of permission in AD special permission, i wonder where can i get the full list those exchange permission listed in special permission at AD? or that does not really related of what am i doing?

    Thursday, August 6, 2009 8:22 AM
  • Well, Exchange 2007 EMC/EMS checks the AD permission of the account with which you are using to execute Exchange cmdlet. If that account has necessary AD permission to create/modify/delete object or settings which you are trying to do with Exchange cmdlet then it will allow Exchange to perform task, otherwise Access Denied error... :)

    So in short Exchange use AD permissions to build security foundation and all the recipient tasks are muddle up with AD...

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com RSS

    Thursday, August 6, 2009 8:33 AM
  • What i done of exchange permission to meet up the requirement of without granting exchange server admin permission to local IT who cant have create or modify permission, but they allow to remove and read permission.. I assigned exchange view-only permission in exchange permission level, and restricted local IT user account in active directory OU level by assign them to have full delegation within, hence the local IT is able to remove mailbox from exchange server but not create since it has only "view-only" permission in exchange server.

    • Marked as answer by listlow Thursday, August 13, 2009 3:37 PM
    Thursday, August 13, 2009 3:37 PM