• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 539
  • Last Modified:

Split Permissions model for Exchange 2007

Hello

There is an article here on how to assign Exchange permissions per OU in Exchange 2007, now that Admin Groups have been removed from Exchange 2007. In our organisation, providing all Helpdesk staff the ability to modify Exchange attributes on all user objects in the domain is not suitable.

http://technet.microsoft.com/en-us/library/bb232100%28EXCHG.80%29.aspx

I was looking at the section entitled, "How to use the Exchange Management Shell to assign permissions". Within this, there are two steps that I don't understand:

a) Run the following command to grant the OU1AdminGroup security group extended right to access the Recipient Update Service.

Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "Contoso\OU1AdminGroup " -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType Descendents

b) Run the following commands to grant OU1AdminGroup security group the ability to update the address lists and e-mail address policies.

Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\OU1AdminGroup" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
Add-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\OU1AdminGroup" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags

Where OU1AdminGroup is the Helpdesk group for OU1.

I'm not sure what those commands exactly do? Do they provide OU1AdminGroup with the ability to amend the RUS/Email Address Policies, or just use them to create new mailboxes? Could anyone clarify? There is an explanation copied from the article here, but I'm unsure what it means:

>>
Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can execute the Update-AddressList cmdlet.

Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container within the Exchange organization. These permissions are required so the recipient administrator can execute the Update-EmailAddressPolicy cmdlet.

The Access Recipient Update Service extended right on the Exchange 2007 administrative group. This extended right is required because in Exchange 2007, the address-related information is stamped on the recipient during the provisioning process.
>>

Thanks in advance.
0
bruce_77
Asked:
bruce_77
  • 2
1 Solution
 
sandeep_narkhedeCommented:
Updating Email Address (RUS in legacy world) is not a time based service anymore in E2K7. but this is a task & its action based. So this task is executed when you create in other words provision a new user in E2K7.

these two cmdlets give access to the group to excute the task when they provision a new user.
0
 
bruce_77Author Commented:
So the PowerShell cmdlets above relating to RUS and Email Address Policy are to execute them, not actually amend the RUS/Email Address Policy?

Also - why is RUS in there? I thought Exchange 2007 did not have RUS?
0
 
sandeep_narkhedeCommented:
it is still there but no longer as a Service ..however it is a action based task. it will not have a schedule as it used to be in legacy version running at a specified interval but this will execute this task depending on a action
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now