I am currently in the process of a delegation project for one of my customers running Exchange Server 2007. My customer requires that all service desk staff members have the ability to manage Exchange recipients but can make no other changes within Exchange. Part of the Recipient Management requires the service desk staff must have the ability to:
To grant Exchange Recipient Administrators the ability to change permissions on mailboxes they must have the ExtendedRights "ms-Exch-Store-Admin" in Active Directory on the Configuration Partition. This can be granted using the following powershell command:
Add-ADPermission -Identity "CN=Exchange Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local" -User "domain\Exchange Recipient Administrators" -ExtendedRights ms-Exch-Store-Admin -InheritanceType All
Ensure you change the Exchange Org to reflect your Exchange org and the domain\ to reflect your domain's NetBIOS name.
If the permissions are not set right you will get an error similar to:
Domain\username
Failed
Error:
Failed to commit the change on object "a757e5a9-64e0-49cb-ac90-acda685c7f1c" because access is denied.
MapiExceptionNoAccess: Unable to set mailbox SecurityDescriptor. (hr=0x80070005, ec=-2147024891)
Exchange Management Shell command attempted:
Add-MailboxPermission -Identity 'CN=Domain User,OU=People,DC=domain,DC=local' -User 'DOMAIN\account.name' -AccessRights 'FullAccess'
Elapsed Time: 00:00:00
Failed to commit the change on object because access is denied.
Hope this post has been helpful.
- Manage Full Access Permission
- Manage Send As Permission
To grant Exchange Recipient Administrators the ability to change permissions on mailboxes they must have the ExtendedRights "ms-Exch-Store-Admin" in Active Directory on the Configuration Partition. This can be granted using the following powershell command:
Add-ADPermission -Identity "CN=Exchange Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local" -User "domain\Exchange Recipient Administrators" -ExtendedRights ms-Exch-Store-Admin -InheritanceType All
Ensure you change the Exchange Org to reflect your Exchange org and the domain\ to reflect your domain's NetBIOS name.
If the permissions are not set right you will get an error similar to:
Domain\username
Failed
Error:
Failed to commit the change on object "a757e5a9-64e0-49cb-ac90-acda685c7f1c" because access is denied.
MapiExceptionNoAccess: Unable to set mailbox SecurityDescriptor. (hr=0x80070005, ec=-2147024891)
Exchange Management Shell command attempted:
Add-MailboxPermission -Identity 'CN=Domain User,OU=People,DC=domain,DC=local' -User 'DOMAIN\account.name' -AccessRights 'FullAccess'
Elapsed Time: 00:00:00
Failed to commit the change on object because access is denied.
Hope this post has been helpful.
No comments:
Post a Comment