When you need add permissions to regional admin , who will be able to create and delete mailboxes , distrubution groups… only for their Regional Storage Groups ( mailbox databases ) you can use powershell or you can do that over ADSIEDIT tool.Do that over powershell is not too easy for starter with EMS. I used ADSIEDIT tool and now I will show you what you will need to add appropriate permissions for regional admin.
Over ADSIEDIT jup
this is path in ADSIEDIT in my Domain.
so start „run.exe“ and writte adsiedit.msc , enter :)( it is include in standard tools from install cd Server 2003, Server 2008 include system )
configuration/cn=services/cn=microsoft exchange/cn=“name of your exchange org.“ /cn=Administration groups/cn=exchange administration group(FYDIBOHF23SPDLT)/cn=servers/cn=“name of your exch. server“/cn=information store/“names of your storage groups“
for example , In my organization I have Storage groups SGRegionPR, SGRegionBR , SGRegionOS ,
- I will add Full permissions( it will be depend on your choose ) for security group „exadminbr“ which will be manage Exchange in Region-BR on Storage Group „SGRegionBR“ Enough will be – „access recipient update services“ , „administer information store“,“read“, „list content“ to be able to create , delete mailbox. (not move)
- I adjusted deny all permission for „exadminbr“ group on other Storage Groups because I do not want to regional admin from BR will be able to see other Storage groups and their details.
- I adjusted permission „administer information store“ for „exadminbr“ group on cn=exchange administration group(FYDIBOHF23SPDLT) do you know what does it mean ? :)- -E f, X-y ,C-d ,H-i , A-b , N-o ,G-h , E-f ,12, R-s,O-p ,C-d , K-l , S-t = EXCHANGE12ROCKS funny
You do not have to delegate this permissions on child objects ! In security tab do not use advance button, but only add group „exadminbr“ and mark „administer information store“ permission.
- I adjusted permission “ access recipient update services“ for „exadminbr“ group on cn=exchange administration group(FYDIBOHF23SPDLT) or you can add perm. on cn=servers , use advance button in security tab for add permission and delegate permissions on child objects
- I adjusted permission „list content “ for „exadminbr“ on cn=“name of your exchange org“ , use advance button in security tab for add permission and delegate permission on child objects