locked
Exchange 2007 Recipients Administrators Required To Be In Specific OU RRS feed

  • Question

  • For whatever reasons members of our Exchange 2007 "Exchange Recipient Administrators" group must be in a specific OU to manage distribution lists.

    I have been unable to determine why the user accounts have to be in a specific OU. All of the documentation I have found involving OUs with the "Exchange Recipient Administrators" group is in regards to which OUs the group can manage not which OU the users must be in. I need to move the user accounts in AD for GPO inheritence, but need to allow these user accounts to still be in the "Exchange Recipient Administrators" group in the new OUs.

    Any help would be greatly appreciated.

    Wednesday, January 11, 2012 8:35 PM

Answers

All replies

  • Hi,

    this OU might have been delegated for Exchange Recipient Administrators group... By going to OU properties in advanced mode you can find this... 

    check this out... http://exchangepedia.com/blog/2008/02/how-to-delegate-recipient.html


    Thanks & Regards, Kottees **** Please mark as an answer if it is really helps you.
    Thursday, January 12, 2012 5:01 AM
  • Thanks Kottees,

    But this is not actually our issue. The Recipient Administrators have delegation over the whole directory.

    However the user accounts that are members of the the Recipient Administrators group must be located in the the "Exchange Objects\Distribution Groups" OU to have the ability to create distribution lists. This is the same OU that the DLs are created in.

    We are fairly certain its a permissions issue, but not really sure where to check.

    Thanks again!

    -Matt


    Thursday, January 12, 2012 1:32 PM
  • Hi,

    Do you have GPO configured on that OU?

    You can try to use command below to get the permission on that ou

    get-acl(get-adorganizationalunit –filter *) | fl

    Get-Acl

    http://technet.microsoft.com/en-us/library/dd347635.aspx


    Xiu Zhang

    TechNet Community Support

    Friday, January 13, 2012 8:13 AM
  • Xiu,

    Is there an alternate syntax for this command? When I run the command as specified I get an error stating "Get-Acl : Cannot find path" for every OU in my domain.

    Thanks!

    -Matt

    Friday, January 13, 2012 3:36 PM
  • Hi,

    We need to run that cmdlt from Windows powershell.

    So what is the OS version of your DCs?

    You can try to download dsrevoke from http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=19288, dsrevoke is a tool which we can use to view and remove permissions on Domain and OU containers of Active Directory domain controllers

     


    Xiu Zhang

    TechNet Community Support

    Monday, January 16, 2012 3:30 AM