Create a limited AD account for administering Active Directory and Exchange?

hi guys,

We're on a domain environment. Our Exchange is on 2010 Sp2 sitting on a Windows 2008 R2 server. Our AD server is on a separate Windows 2008 R2 server.

I would like to set up an administrator who can log  on to these servers and do the following:

1. Create, modify, delete AD accounts.
2. Reset user passwords and force password change at next logon
3. Unlock accounts.
4. Set up, modify and delete Exchange mailboxes.

I know that in AD, I can set up a new OU and then right click and select 'Delegate Control'. However, my main issue is setting something like the above up to have access to do administration of mailboxes on Exchange also (i.e. setting up and deleting of users/mailboxes).

Any ideas on how to do this please?

Thanks
Yashy
LVL 1
YashyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ben HartCommented:
Yes you can delegate in AD... however in Exchange you have a role-based administration and I think being a Recipient Administrator will let you create, modify and delete user mailboxes, shared mailboxes and groups.

Look here for more info: http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-2010-role-based-access-control-part1.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joseph MoodyBlogger and wearer of all hats.Commented:
Building on Ben's comment, I would create a new security group in AD named something like "Account Administrators".

In AD, add the users needing the above permissions to this group. Then go through the delegation wizard in AD and assign that group these permissions. Add that group to the Recipient Administrators exchange role. Members of your Account Administrators group are then given all of the permissions they need and you can control membership easily!
AmitIT ArchitectCommented:
You need to add Admin to Account operator and Recipient Admin Group in AD.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.