Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange store permissions?

Posted on 2007-11-17
4
Medium Priority
?
211 Views
Last Modified: 2010-04-21
I have an exchange server that I have full exchange admin rights on. I can do things like Exmerges and reconnect mailboxes exc.

There is another group in Active directory whos members need to manage that groups poeple.

I'm going to create a storage group with those groups users only and let that group manage it.

How can I do this and let them run Exmerge, Exchange Tasks, Mail Enable poeple and stuff while giving them the least permissions to do this job?

I was thinking of just applying permissions to that storage group or store? for that group and give sendas/receiveas permissions?

I beleive they also need to be local admins in order to successfully do an Exmerge and export PST's or whatever? In that case can they be local account operators or something very minimal that won't allow them to bang up the actual server or do things outside of ESM?


0
Comment
Question by:snyderkv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Network_Data_Support earned 2000 total points
ID: 20303891
The account that is used to run the ExMerge utility must have the Send As permission and the Receive As permission on the mailbox store that the ExMerge utility will be used on. By default, the following permissions are assigned when you install Exchange:
•      In Exchange 2000, built-in administrator accounts and built-in administrative groups inherit the Deny permission for both the Send As and the Receive As permissions.
•      In Exchange 2003, built-in administrator accounts and built-in administrative groups inherit the Allow permission together with the Deny permission for the Send As permission and for the Receive As permission.

Note Some permissions take precedence over others. Typically, the Deny permission overrides the Allow permission. However, inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.
To use the ExMerge utility without being restricted by these inherited permissions, it is recommended that you create a new security group, add members to the group, and then grant permissions to the security group on the Exchange mailbox store. In Exchange 2003, you must use a security group to override inherited Send As permissions and Receive As permissions. In Exchange 2000, you can apply explicit permissions to an individual account to override inherited Send As and Receive As permissions. However, we recommend that you use a security group to apply permissions in both versions of Exchange.
0
 

Author Closing Comment

by:snyderkv
ID: 31409720
Thanks great answer

Please tell me if you also need to be a local admin?
0
 

Author Comment

by:snyderkv
ID: 20304384
Great writeup.

Also please let me know if they also have to be a local admin on that exchange server
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20304411
i dont think so, exmerge is userly set up with a new account created in AD and only member of domain users if i remember shouldnt be a member of domain admins so in that case dont need to be a local administrator
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question