Re: Exchange 2000 & Administrator Rights

From: Philip Amos (someone_at_somewhere.com)
Date: 05/11/04 

Date: Tue, 11 May 2004 11:01:22 +0100

Basically the way our company works is that each office has an OU and an
Exchange Administrative group. The Administrators at each office have been
granted Full Control over all Users, Contacts & Groups within their OU.
They have also been delegated the Exchange Full Administrator over their
Administrative Group in Exchange System Manager.

We basically need each of these Administrators to be able to manage all
aspects of Exchange 2000 within this Administrative group\OU but as Exchange
is installed on a DC we do not want to make them members of the
Domain\Administrators Group. This includes managing mailboxes, managing
stores, stopping and starting services (We know how to do this part),
carrying out maintenance of Exchange Databases as and when needed.

Thank you
Philip Amos

"Dave Howe [MSFT]" <daveh@online.microsoft.com> wrote in message
news:mk6v90pvkgp37m909is4hnrv2kpblok801@4ax.com...
> On Thu, 6 May 2004 16:27:31 +0100, "Philip Amos"
> <someone@somewhere.com> wrote:
>
> >Can anybody please tell me why a user which has been delegated the
Exchange
> >Full Administrator right still needs to be a member of the local machines
> >Administrator group??
> >
> >What I would idealy like to do if specifically grant rights over the
> >necessary objects withing the directory\file system\registry etc to my
> >Exchange administrators and not have them as members of the
Administrators
> >group. The reason for this is that Exchange 2000 is installed on some
> >Domain Controllers and the local Administrators group is the one in the
> >Domain which then grants people rights over other stuff that I do not
want
> >them to have access to.
> >
> >The problem is that I have been unable to find any documents either in
> >TechNet or on the web which explain what rights a member of the local
> >Administrators group gets over Exchange which make membership of this
group
> >necessary and would appreciate it if somebody can tell me what rights I
need
> >to grant.
>
> Can you explain exactly what kind of rights would you want them to
> have? Strictly mailbox creation, or do you want them to have the
> ability to mount/dismount stores, etc.?
> ---
>
> Dave Howe
> Microsoft PSS
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.

Relevant Pages

  • Re: Delegating Exchange admin rights without using the wizard
    ... Right click on the Administrative Group, select the security tab find the ... Exchange 2003 SP2 running in Native mode Single ... I need to delegate rights to a group that is responsible for creating ... user accounts and subsequently the mailboxes to go with them. ...
    (microsoft.public.exchange.admin)
  • Re: Delegating Exchange admin rights without using the wizard
    ... Create a Security Group in AD, using the delegation wizard give that group view admin only to the Administrative Group in Exchange system manager. ... Right click on the Administrative Group, select the security tab find the group that you gave view admin give the group those extra 2 rights "Write" and "Administer Information Store" ...
    (microsoft.public.exchange.admin)
  • Delegating Exchange admin rights without using the wizard
    ... Exchange 2003 SP2 running in Native mode Single ... I need to delegate rights to a group that is responsible for creating ... Delegation Wizard in AD. ... administrative group. ...
    (microsoft.public.exchange.admin)
  • Re: 2 AD Domains in Same Forst Sharing Exchange Server
    ... i will say, that if they do not have an exchange infrastructure yet, i will ... create a new administrative group for them, ... install an exchange server in their domain and join him to the created ... administrators. ...
    (microsoft.public.exchange.design)
  • Re: Mailbox Rights After Creating a New User Account
    ... Your administrators have more rights than they should, ... Meaning, in AD users and computers, the "Helpdesk" group was given rights ... So if your statement about the Exchange Administrator View Only NOT having ...
    (microsoft.public.exchange.admin)