Friday, July 25, 2008

Grant permission to change permission on mailboxes

To change mailbox permission on an Exchange 2003 mailboxes you must have the Exchange Full Administrator right. In many organizations there is just a few people that have this right, but the need to change mailbox permission is quite big, often the need is to give Full mailbox access to a user on a mailbox that is unmonitored.

And there we have a conflict, do we trust helpdesk or a novice Exchange administrator to have the Full Exchange Administrator permission? probably not. So what can be done?

Luckily there is a way to grant the permission to change permission on mailboxes without being the big Exchange administrator, sort of.

Use Exchange Management Console, drill down to a mailbox database, right click and click properties and select the security tab, add the helpdesk group and select Allow only Change Permission and Administer Information Store.
Change Permission will inherit down to mailboxes. The helpdesk group must also have Active Directory permission to manage user account. This is done with normal AD delegation.
Unfortunately helpdesk group must also have Administer Information Store permission to get what we want. With this right they can also dismount and mount that database.

Two links that help you understand things better.
http://support.microsoft.com/kb/329236
http://technet.microsoft.com/en-us/library/bb124053.aspx

This is not the ideal solution, but if there is a need for setting mailbox permission without being Full Exchange Administrator, this solution can help.

2 comments:

  1. For exchange permissions granting I can recommend using a tool called security explorer for exchange that provides an intuitive tree view of all security objects and allows easy managing as well as cloning and backup of security permissions that is unavialable with native tools.

    ReplyDelete