delegate a helpdesk users admin rights to create mailboxes on one exchange server only

I beleve you need to be a local admin + delegate to be a local admin (or domain admin) of an exchange server (using delegation)

Read only admin just needs to be able to login to the server

I could be wrong but give it a try

and you can set up permisions for the server via the security tab. (right click server name in ESA and choose properties)

I have tried doing it this way using the delgate wizard but then it allows that user to create mailboxes on all the other exchange servers as well even with read only rights, i need them only to be able to create mailboxes on their exchange server only

Hi bilbus

I have tried giving the user rights the user rights using the security tab in ESA but that allows the user to have complete control of the exchange server including the info store, I really just want the user to be able to create users without being able to have any admin rights for the exchange server

hmm i will look for the correct spot

You could give the user Deny permisions under advanced for all the other servers, but there needs to be a better way

ok, got something.

Is the helpdesk user a domain admin? if not, this will work.

Remove the user from being an administrator on the other exchange boxes. If they are not a local computer admins, they cant admin the exchange server even if they were delegated.

Make the helpdesk ppl only domain users on the exchange boxes, or even remove then completly (This can be done by runing computer management on the exchange servers you dont want them to touch)

Ok this is what i have done, I have created a new user, and given that user view rights for exchange using the deligation wizard and added then to the local admin group on the Exchange which for the record is a member server. After running the wizard, i created a mailbox on the US server, but was also able to create mailboxes on my German, Denmark & UK boxes as well. the new user did not have any admin rights on the other exchange boxes but his own

that does not sound right, is he a membe rof any other groups that have admin permisions?

Have you split this Exchange org in to admin groups? If not, then that is something you should consider.

Simon.

not sure what you mean could you explain?

You can split the Exchange org up in to administrative groups. The default administrative group is where all the servers are currently set.
Create a new admin group and move the server in to it. Then right click on the admin group and choose Delegate Control. Run through the wizard, restricting access as required.

Simon.

by creating a new admin group, will that have an effect on the way the org is currently set up?

how can i move a server to the new admin group?

The serves me right for posting just after I had woken up.
You can't move servers between admin groups. You would have to install Exchange on to a new server.

Simon.