| Author | Messages | |
ifconfig
Posts:49
 | | 08/11/2009 3:28 PM |
| Sorry for the OT, but I wager if I can't find the answer to an Exchange
question on this list, it doesn't exist!
We're attempting to use a split permissions model for managing Exchange and
AD. The scheme is simple: each OU is a business unit with delegated full
rights to the OU and all objects contained within that OU. In addition, each
business unit gets delegated the proper and sufficient rights to their own
Storage Group and databases.
Recently, I was asked if it would be possible to delegate the right for an
OU administrator to be able to modify Full Access mailbox rights for their
users.
In other words, without giving the OU administrators Org Admin rights, is it
possible through *some* setting, to allow OU admins (currently Exchange
View-Only Admins) to give UserA Full Access to UserB's mailbox? Might this
be done through AD, for example?
Thanks in advance for *any* answers.
Fred W.
| | | |
| nicolasblank
Posts:20
| | 08/11/2009 3:42 PM |
| What Exchange version Fred?
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Frederic Woodbridge, III
Sent: 11 August 2009 04:26 PM
To: activedir@activedir.org
Subject: [ActiveDir] [OT] Exchange Split Permissions Question
Sorry for the OT, but I wager if I can't find the answer to an Exchange question on this list, it doesn't exist!
We're attempting to use a split permissions model for managing Exchange and AD. The scheme is simple: each OU is a business unit with delegated full rights to the OU and all objects contained within that OU. In addition, each business unit gets delegated the proper and sufficient rights to their own Storage Group and databases.
Recently, I was asked if it would be possible to delegate the right for an OU administrator to be able to modify Full Access mailbox rights for their users.
In other words, without giving the OU administrators Org Admin rights, is it possible through some setting, to allow OU admins (currently Exchange View-Only Admins) to give UserA Full Access to UserB's mailbox? Might this be done through AD, for example?
Thanks in advance for any answers.
Fred W.
| | | |
| ifconfig
Posts:49
| | 08/11/2009 4:09 PM |
| Ah, probably should have added that: 2007
On Tue, Aug 11, 2009 at 08:42, Nicolas Blank <nicolas.blank@gmail.com>wrote:
> What Exchange version Fred?
>
>
| | | |
| michael1
Posts:426
| | bdesmond
Posts:977
| | 08/11/2009 7:59 PM |
| Delegate them Account Operator?
The SACL isn’t a separate attribute, it’s part of the ntSecurityDescriptor. I’m not sure what Exchange stores in there on a per recipient basis though? Usually it’s just auditing stuff mainly in the SACL.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Michael B. Smith
Sent: Tuesday, August 11, 2009 1:31 PM
To: activedir@mail.activedir.org; activedir@activedir.org
Subject: RE: [ActiveDir] [OT] Exchange Split Permissions Question
Why not delegate them Account Operator for the OU? That gives WP to SACL doesn’t it?
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Frederic Woodbridge, III
Sent: Tuesday, August 11, 2009 10:26 AM
To: activedir@activedir.org
Subject: [ActiveDir] [OT] Exchange Split Permissions Question
Sorry for the OT, but I wager if I can't find the answer to an Exchange question on this list, it doesn't exist!
We're attempting to use a split permissions model for managing Exchange and AD. The scheme is simple: each OU is a business unit with delegated full rights to the OU and all objects contained within that OU. In addition, each business unit gets delegated the proper and sufficient rights to their own Storage Group and databases.
Recently, I was asked if it would be possible to delegate the right for an OU administrator to be able to modify Full Access mailbox rights for their users.
In other words, without giving the OU administrators Org Admin rights, is it possible through some setting, to allow OU admins (currently Exchange View-Only Admins) to give UserA Full Access to UserB's mailbox? Might this be done through AD, for example?
Thanks in advance for any answers.
Fred W.
| | | |
| michael1
Posts:426
| | paulrowland
Posts:6
| | 08/12/2009 12:22 PM |
| There is a TechNet article that describes how to do this delegation:
http://technet.microsoft.com/en-gb/library/bb232100.aspx
and a Microsoft have also supplied powershell script to implement it.
________________________________
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: 11 August 2009 19:57
To: activedir@mail.activedir.org; activedir@activedir.org
Subject: RE: [ActiveDir] [OT] Exchange Split Permissions Question
Delegate them Account Operator?
The SACL isn't a separate attribute, it's part of the
ntSecurityDescriptor. I'm not sure what Exchange stores in there on a
per recipient basis though? Usually it's just auditing stuff mainly in
the SACL.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
<http://www.briandesmond.com/ad4/>
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian
<https://mvp.support.microsoft.com/profile/Brian>
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Michael B.
Smith
Sent: Tuesday, August 11, 2009 1:31 PM
To: activedir@mail.activedir.org; activedir@activedir.org
Subject: RE: [ActiveDir] [OT] Exchange Split Permissions Question
Why not delegate them Account Operator for the OU? That gives WP to SACL
doesn't it?
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Frederic
Woodbridge, III
Sent: Tuesday, August 11, 2009 10:26 AM
To: activedir@activedir.org
Subject: [ActiveDir] [OT] Exchange Split Permissions Question
Sorry for the OT, but I wager if I can't find the answer to an Exchange
question on this list, it doesn't exist!
We're attempting to use a split permissions model for managing Exchange
and AD. The scheme is simple: each OU is a business unit with delegated
full rights to the OU and all objects contained within that OU. In
addition, each business unit gets delegated the proper and sufficient
rights to their own Storage Group and databases.
Recently, I was asked if it would be possible to delegate the right for
an OU administrator to be able to modify Full Access mailbox rights for
their users.
In other words, without giving the OU administrators Org Admin rights,
is it possible through some setting, to allow OU admins (currently
Exchange View-Only Admins) to give UserA Full Access to UserB's mailbox?
Might this be done through AD, for example?
Thanks in advance for any answers.
Fred W.
**********************************************************************
Please consider the environment before printing this email or its attachments.
The contents of this email are for the named addressees only. It contains information which may be confidential and privileged. If you are not the intended recipient, please notify the sender immediately, destroy this email and any attachments and do not otherwise disclose or use them. Email transmission is not a secure method of communication and Man Investments cannot accept responsibility for the completeness or accuracy of this email or any attachments. Whilst Man Investments makes every effort to keep its network free from viruses, it does not accept responsibility for any computer virus which might be transferred by way of this email or any attachments. This email does not constitute a request, offer, recommendation or solicitation of any kind to buy, subscribe, sell or redeem any investment instruments or to perform other such transactions of any kind. Man Investments reserves the right to monitor, record and retain all electronic communications through its network to ensure the integrity of its systems, for record keeping and regulatory purposes.
Visit us at: www.maninvestments.com
TG0908
**********************************************************************
| | | |
| michael1
Posts:426
| | ifconfig
Posts:49
| | 08/12/2009 5:51 PM |
| Yes, Michael, you're correct. And we already used the script to provide for
the split permissions model we have.
Wow, if this one's stumped you, Michael, I don't believe it can be done! :-(
Fred
On Wed, Aug 12, 2009 at 06:06, Michael B. Smith <
michael@theessentialexchange.com> wrote:
> I don't believe that script provides the capability of managing "Full
> Access".
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Rowland, Paul
> (London)(c)
> *Sent:* Wednesday, August 12, 2009 7:21 AM
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] [OT] Exchange Split Permissions Question
>
>
>
> There is a TechNet article that describes how to do this delegation:
>
> http://technet.microsoft.com/en-gb/library/bb232100.aspx
>
> and a Microsoft have also supplied powershell script to implement it.
>
>
| | | |
| michael1
Posts:426
| |
|