locked
How to limit Recipient Management rights to users in a OU in Exchange 2010 SP1 RRS feed

  • Question

  • We need to have an accounts with Exchange Recipient Management rights only on mailboxes from users in a specific OU in Active Directory.

    For OU "Dept1" the user Dept1Admin would see only mailboxes of accounts in OU Dept1

    Should we use adsiedit to set an ACL on OU Dept1 to grant Dept1Admin rights identical to the Recipient Management group?

    What would be minimum group membership for Dept1Admin providing that we need to grant access only to objects related to users in Dept1 OU?

    Thanks in advance for any hint
    /Patrice

    Friday, March 18, 2011 2:57 PM

Answers

  • Hi,

     

    You could  create a new Exchange Recipient Management role by a parameter RecipientOrganizationalUnitScope .

    Look at this example.

     

    This example assigns the Mail Recipients role to the Contoso Sub - Seattle role group. The administrators in this role group should only be allowed to create and manage mail recipients in specific databases that have been allocated for use by the Contoso subsidiary, A. Datum Corporation (adatum.com). Also, this group of administrators should only be allowed to manage the Contoso employees that are located in the Seattle office. This is done by creating a role assignment with both a database scope, to limit management of mail recipients to only the databases in the database scope, and a recipient OU scope, to limit access to only the recipient objects within the Contoso Seattle OU.

     

    New-ManagementRoleAssignment -Name "Mail Recipients_Contoso Seattle" -Role "Mail Recipients" -SecurityGroup "Contoso Sub - Seattle" -CustomConfigWriteScope "Contoso Databases" -RecipientOrganizationalUnitScope adatum.com/Contoso/Seattle/Users 

    More information about New-ManagementRoleAssignment

    http://technet.microsoft.com/en-us/library/dd335193.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the t
    • Proposed as answer by Jerome Xiong Thursday, March 24, 2011 5:52 AM
    • Marked as answer by emma.yoyo Monday, March 28, 2011 9:24 AM
    Tuesday, March 22, 2011 3:08 AM
  • Bharat Suneja (msft) has a blog below on how to setup recipient org admin for a particular OU rather than the default entire org. It's for Exchange 2007, but the guidance should still be the same since it's just based on AD permissions.

    HOW TO: Delegate recipient administration for an OU

    http://exchangepedia.com/blog/2008/02/how-to-delegate-recipient.html


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Marked as answer by emma.yoyo Monday, March 28, 2011 9:24 AM
    Saturday, March 19, 2011 2:45 PM

All replies

  • Bharat Suneja (msft) has a blog below on how to setup recipient org admin for a particular OU rather than the default entire org. It's for Exchange 2007, but the guidance should still be the same since it's just based on AD permissions.

    HOW TO: Delegate recipient administration for an OU

    http://exchangepedia.com/blog/2008/02/how-to-delegate-recipient.html


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Marked as answer by emma.yoyo Monday, March 28, 2011 9:24 AM
    Saturday, March 19, 2011 2:45 PM
  • Hi Patric,

    This one also can help you

    http://technet.microsoft.com/en-us/library/bb232100%28EXCHG.80%29.aspx

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Sunday, March 20, 2011 11:17 AM
  • Hi,

     

    You could  create a new Exchange Recipient Management role by a parameter RecipientOrganizationalUnitScope .

    Look at this example.

     

    This example assigns the Mail Recipients role to the Contoso Sub - Seattle role group. The administrators in this role group should only be allowed to create and manage mail recipients in specific databases that have been allocated for use by the Contoso subsidiary, A. Datum Corporation (adatum.com). Also, this group of administrators should only be allowed to manage the Contoso employees that are located in the Seattle office. This is done by creating a role assignment with both a database scope, to limit management of mail recipients to only the databases in the database scope, and a recipient OU scope, to limit access to only the recipient objects within the Contoso Seattle OU.

     

    New-ManagementRoleAssignment -Name "Mail Recipients_Contoso Seattle" -Role "Mail Recipients" -SecurityGroup "Contoso Sub - Seattle" -CustomConfigWriteScope "Contoso Databases" -RecipientOrganizationalUnitScope adatum.com/Contoso/Seattle/Users 

    More information about New-ManagementRoleAssignment

    http://technet.microsoft.com/en-us/library/dd335193.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the t
    • Proposed as answer by Jerome Xiong Thursday, March 24, 2011 5:52 AM
    • Marked as answer by emma.yoyo Monday, March 28, 2011 9:24 AM
    Tuesday, March 22, 2011 3:08 AM