jmbrinkman

Exchange 2007: Enable Non-Admin to set Mailbox Permissions

In Active Directory, Exchange on April 17, 2012 at 13:06

In Exchange 2010 you are able to design your own RBAC system and define roles. No such luck for those of us still using Exchange 2007. In order to set Full Access mailbox permissions you need to be a Server or Organization Administrator which in our case was overkill because we wanted to allow non-admin users to set these permissions.

After some experiments I came up with combination of permissions:

Grant Full Access to a Mailbox:

  • Assign the Exchange Recipient Administrator role to the user or group
  • On each mailbox store/database:
    • Start Adsiedit:
      • Go to Configuration\Services\Microsoft Exchange\ORGNAME\Administrative Groups\Exchange Administrative Group bla bla bla\Servers\SERVERNAME\InformationStore\SGNAME\STORENAME
      • Open Properties\Security
      • Give the user or group the following permissions:
        • Administer Information Store
        • View Information Store Status
        • Read Permissions
        • Modify Permissions

As for Send As permissions:

  • On each OU containing User objects set the following permissions:
    • Read Permissions ( On Descendant User objects)
    • Modify Permissions (On Descendant User objects)
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: