jmbrinkman

Archive for April, 2012|Monthly archive page

Exchange 2007: Enable Non-Admin to set Mailbox Permissions

In Active Directory, Exchange on April 17, 2012 at 13:06

In Exchange 2010 you are able to design your own RBAC system and define roles. No such luck for those of us still using Exchange 2007. In order to set Full Access mailbox permissions you need to be a Server or Organization Administrator which in our case was overkill because we wanted to allow non-admin users to set these permissions.

After some experiments I came up with combination of permissions:

Grant Full Access to a Mailbox:

  • Assign the Exchange Recipient Administrator role to the user or group
  • On each mailbox store/database:
    • Start Adsiedit:
      • Go to Configuration\Services\Microsoft Exchange\ORGNAME\Administrative Groups\Exchange Administrative Group bla bla bla\Servers\SERVERNAME\InformationStore\SGNAME\STORENAME
      • Open Properties\Security
      • Give the user or group the following permissions:
        • Administer Information Store
        • View Information Store Status
        • Read Permissions
        • Modify Permissions

As for Send As permissions:

  • On each OU containing User objects set the following permissions:
    • Read Permissions ( On Descendant User objects)
    • Modify Permissions (On Descendant User objects)