locked
Restricting Delegate Admin Access to Databases in Exchange 2007 RRS feed

  • Question

  • After an exhaustive past couple days of searching, I have been really unable to find an answer to my solution. We have an Exchange 2007 Environment and we are looking to start delegating mailbox administration to our sites. We have no problem doing that by adding them as Recipient Administrators, but what we would like to do is restrict where they can create mailboxes.

    We have 2 mailbox servers with about 10 databases on each on their own disks. We would like to allow admins to create any new mailboxes on server SERVER1 to DATABASE1-1 and nowhere else. From where, our team will delegate where mailboxes are to be moved. Right now we have about 6500 mailboxes scattered over a number of databases with unfortunately, no logical organization. I tried testing some permissions with ADSI Edit but without the admins being a local admin on the mailbox server, I constantly ran into insufficient permission errors.

    We are hoping to adopt this model to prevent Recipient Administrators from creating mailboxes on random databases and accidentally filling up the disk. If possible, it would be a bonus so that they only see the 1 database displayed when creating the mailbox.

    Thanks for taking the time to read this!

    Jason

    Wednesday, July 20, 2011 3:11 PM

Answers

  • Oops you're on 2007, there is no friendly way to accomplish this with 2007, it'll go along the lines of denying the delegated user\group rights on the DB or storage group level using adsiedit. I would start with denying read and view information store status.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Wednesday, July 20, 2011 3:24 PM

All replies

  • Answer in previous thread below:

    Example

    New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"}
    New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" -SecurityGroup "Explorers" –CustomConfigWriteScope “Databases_ManagmentScope”

    RBAC - How to restrict User to create users in specific DB?

    http://social.technet.microsoft.com/Forums/en/exchangesvradmin/thread/e11036d9-9749-466e-8626-bc47307c8fc9


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Wednesday, July 20, 2011 3:18 PM
  • Oops you're on 2007, there is no friendly way to accomplish this with 2007, it'll go along the lines of denying the delegated user\group rights on the DB or storage group level using adsiedit. I would start with denying read and view information store status.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Wednesday, July 20, 2011 3:24 PM
  • That worked perfect for me, thanks! I think I was trying to be too granular prior looking at the 100's of security properties. 

    Much obliged.

    Jason

    Wednesday, July 20, 2011 5:10 PM