Freeing up Exchange / AD admins

We'd like our helpdesk to be able to Create Active directory users (AD Win2k12r2) and Exchange Mailboxes (Exchange 2013). Without giving them Domain Admin and total Exchange Admin permissions...

If it could be automated as much as possible great....

Any native software or 3rd party software that can help we'll take a look at.

We're trying to free up our AD/Exchange Admins from the basic user setups
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blake LongEngineerCommented:
You can give users permissions to alter only certain parts of AD without giving them full domain admin rights.

Try this article and this article

Then depending on what version of windows your servers and desktops are running you may be able to give the users you want to be able to do this access via server manager installed on the desktop.
You can assign delegate control to assign certain tasks within AD. See link below

Delegate Control
AmitIT ArchitectCommented:
Just add your helpdesk team to account operator and recipient management group in AD. That is enough rights to create, modify and remove user or mailbox. No Domain admin rights required.

If you use Delegate rights, then you need to give them on every OU, I try to avoid delegating rights. As you will not be freed and helpdesk will be calling you for right issue again and again.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Will SzymkowskiSenior Solution ArchitectCommented:
I would NOT be adding your Helpdesk staff to any Default Groups in Active Directory. It is better to create your own Security Groups, giving them meaningful name and delegating control over the OU where you want them to administer. Providing access to Built-in Groups is the "Lazy Man" way of configuring security and it is not a good practice.

As stated, Delegate Control to specific locations in Active Direcotry because you might not want all of the help desk to have modify permissions on all of the OU's.

As for Exchange Recipient Management is the best Group to provide access to for creating/managing mailboxes within Exchange 2013. You can also create New Management Role Groups as well in Exchange 2013 which allow you to be more grandular with permissions.

Default Groups (do not add)

Mail Recipient Role (another one you might want to look at)

Delegate Control Complete


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hi how did you get on
bernardbAuthor Commented:
Thanks Experts! So sorry for the delay
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.