When you need add permissions to regional admin , who will be able to create and delete mailboxes , distrubution groups… only for their Regional Storage Groups ( mailbox databases ) you can use powershell or you can do that over ADSIEDIT tool.Do that over powershell is not too easy for starter with EMS. I used ADSIEDIT tool and now I will show you what you will need to add appropriate permissions for regional admin.
Over ADSIEDIT 🙂 jup
this is path in ADSIEDIT in my Domain.
so start „run.exe“ and writte adsiedit.msc , enter :)( it is include in standard tools from install cd Server 2003, Server 2008 include system )
configuration/cn=services/cn=microsoft exchange/cn=“name of your exchange org.“ /cn=Administration groups/cn=exchange administration group(FYDIBOHF23SPDLT)/cn=servers/cn=“name of your exch. server“/cn=information store/“names of your storage groups“
for example , In my organization I have Storage groups SGRegionPR, SGRegionBR , SGRegionOS ,
- I will add Full permissions( it will be depend on your choose ) for security group „exadminbr“ which will be manage Exchange in Region-BR on Storage Group „SGRegionBR“ Enough will be – „access recipient update services“ , „administer information store“,“read“, „list content“ to be able to create , delete mailbox. (not move)
- I adjusted deny all permission for „exadminbr“ group on other Storage Groups because I do not want to regional admin from BR will be able to see other Storage groups and their details.
- I adjusted permission „administer information store“ for „exadminbr“ group on cn=exchange administration group(FYDIBOHF23SPDLT) do you know what does it mean ? :)- -E f, X-y ,C-d ,H-i , A-b , N-o ,G-h , E-f ,12, R-s,O-p ,C-d , K-l , S-t = EXCHANGE12ROCKS 🙂 funny
You do not have to delegate this permissions on child objects ! In security tab do not use advance button, but only add group „exadminbr“ and mark „administer information store“ permission.
- I adjusted permission “ access recipient update services“ for „exadminbr“ group on cn=exchange administration group(FYDIBOHF23SPDLT) or you can add perm. on cn=servers , use advance button in security tab for add permission and delegate permissions on child objects
- I adjusted permission „list content “ for „exadminbr“ on cn=“name of your exchange org“ , use advance button in security tab for add permission and delegate permission on child objects