Create a limited AD account for administering Active Directory and Exchange?
hi guys,
We're on a domain environment. Our Exchange is on 2010 Sp2 sitting on a Windows 2008 R2 server. Our AD server is on a separate Windows 2008 R2 server.
I would like to set up an administrator who can log on to these servers and do the following:
1. Create, modify, delete AD accounts.
2. Reset user passwords and force password change at next logon
3. Unlock accounts.
4. Set up, modify and delete Exchange mailboxes.
I know that in AD, I can set up a new OU and then right click and select 'Delegate Control'. However, my main issue is setting something like the above up to have access to do administration of mailboxes on Exchange also (i.e. setting up and deleting of users/mailboxes).
Any ideas on how to do this please?
Thanks
Yashy
We're on a domain environment. Our Exchange is on 2010 Sp2 sitting on a Windows 2008 R2 server. Our AD server is on a separate Windows 2008 R2 server.
I would like to set up an administrator who can log on to these servers and do the following:
1. Create, modify, delete AD accounts.
2. Reset user passwords and force password change at next logon
3. Unlock accounts.
4. Set up, modify and delete Exchange mailboxes.
I know that in AD, I can set up a new OU and then right click and select 'Delegate Control'. However, my main issue is setting something like the above up to have access to do administration of mailboxes on Exchange also (i.e. setting up and deleting of users/mailboxes).
Any ideas on how to do this please?
Thanks
Yashy
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Yes you can delegate in AD... however in Exchange you have a role-based administration and I think being a Recipient Administrator will let you create, modify and delete user mailboxes, shared mailboxes and groups.
Look here for more info: http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-2010-role-based-access-control-part1.html
Look here for more info: http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-2010-role-based-access-control-part1.html
Building on Ben's comment, I would create a new security group in AD named something like "Account Administrators".
In AD, add the users needing the above permissions to this group. Then go through the delegation wizard in AD and assign that group these permissions. Add that group to the Recipient Administrators exchange role. Members of your Account Administrators group are then given all of the permissions they need and you can control membership easily!
In AD, add the users needing the above permissions to this group. Then go through the delegation wizard in AD and assign that group these permissions. Add that group to the Recipient Administrators exchange role. Members of your Account Administrators group are then given all of the permissions they need and you can control membership easily!
Premium Content
You need an Expert Office subscription to comment.Start Free Trial