locked
How to Secure Exchange Server 2007 + delegate new user creation RRS feed

  • Question

  • I'm looking for the best-practice for securing access to top-level executives exchange mailboxes.

    • How can I delegate permissions to a jr admin to add mailboxes but not be able to modify the full access permissions on any mailboxes?
    • Secondly, what is the best way to audit any changes made to the configuration of a mailbox?

    Thanks in Advance

    Tuesday, September 4, 2012 3:59 PM

Answers

  • On Tue, 4 Sep 2012 21:30:58 +0000, cmartin-vs wrote:
     
    >So what role could be given so that a jr admin cannot add themselves to full access control of a mailbox?
     
    I believe that would be a server administrator. They wouldn't be able
    to mess with connectors then, either.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, September 5, 2012 2:02 AM

All replies

  • To add mailboxes, all an admin has to have is View-Only Administrator role.  Someone can correct me if I'm wrong, but that role doesn't have the right to change mailbox rights.

    http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/exchange-2007-permissions-and-roles-part1.html

    As to auditing permissions changes:

    http://social.technet.microsoft.com/Forums/en-US/exchangesvrcompliance/thread/c7537642-fdf4-451b-b1ad-09e9ffc2d130


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, September 4, 2012 7:51 PM
  • On Tue, 4 Sep 2012 19:51:44 +0000, Ed Crowley wrote:
     
    >To add mailboxes, all an admin has to have is View-Only Administrator role. Someone can correct me if I'm wrong, but that role doesn't have the right to change mailbox rights.
     
    Any "view only" role never could. Not even in releases prior to
    Exchange 2000. IIRC, it's always needed an "organization admin" role.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, September 4, 2012 9:27 PM
  • So what role could be given so that a jr admin cannot add themselves to full access control of a mailbox?
    Tuesday, September 4, 2012 9:30 PM
  • Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Isn't that the truth!
    Tuesday, September 4, 2012 9:33 PM
  • On Tue, 4 Sep 2012 21:30:58 +0000, cmartin-vs wrote:
     
    >So what role could be given so that a jr admin cannot add themselves to full access control of a mailbox?
     
    I believe that would be a server administrator. They wouldn't be able
    to mess with connectors then, either.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, September 5, 2012 2:02 AM