Create a limited AD account for administering Active Directory and Exchange?

Yashy used Ask the Experts™
hi guys,

We're on a domain environment. Our Exchange is on 2010 Sp2 sitting on a Windows 2008 R2 server. Our AD server is on a separate Windows 2008 R2 server.

I would like to set up an administrator who can log  on to these servers and do the following:

1. Create, modify, delete AD accounts.
2. Reset user passwords and force password change at next logon
3. Unlock accounts.
4. Set up, modify and delete Exchange mailboxes.

I know that in AD, I can set up a new OU and then right click and select 'Delegate Control'. However, my main issue is setting something like the above up to have access to do administration of mailboxes on Exchange also (i.e. setting up and deleting of users/mailboxes).

Any ideas on how to do this please?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Yes you can delegate in AD... however in Exchange you have a role-based administration and I think being a Recipient Administrator will let you create, modify and delete user mailboxes, shared mailboxes and groups.

Look here for more info:
Joseph MoodyBlogger and wearer of all hats.
Building on Ben's comment, I would create a new security group in AD named something like "Account Administrators".

In AD, add the users needing the above permissions to this group. Then go through the delegation wizard in AD and assign that group these permissions. Add that group to the Recipient Administrators exchange role. Members of your Account Administrators group are then given all of the permissions they need and you can control membership easily!
AmitIT Architect
Distinguished Expert 2017
You need to add Admin to Account operator and Recipient Admin Group in AD.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial