Exchange 2007 Split Permissions
During the migration/centralisation project I’ve been involved in recently, one of our challenges was delegation of Exchange object management on a per-site or per-country level.
Our goal was to allow local IT teams at each site to create and manage user mailboxes and distribution groups, without having the ability to affect users at other sites and also allowing for centralised management of hardware, backups etc. Now Exchange 2007 doesn’t cater for this permission model out-of-the-box. This type of permissions configuration is referred to as a ‘split permissions’ model.
The Exchange Management Shell allows granular control of permissions at both the AD and Mailbox level. Initial investigation led me to the following command for user management:
Remove-ADPermission -Identity “OU=DE,DC=mydom,DC=com” -User “MYDOM\DE Mailbox Admins” -AccessRights ReadProperty, WriteProperty -Properties Exchange-Information, Exchange-Personal-Information, legacyExchangeDN, displayName, adminDisplayName, displayNamePrintable, publicDelegates, garbageCollPeriod, textEncodedORAddress, showInAddressBook, proxyAddresses, mail
Users of the DE Mailbox Admins group were also granted rights to Create and Delete User Objects on the “OU=DE,DC=mydom,DC=com” container and all sub-containers.
This however did not provide management of Distribution Groups. In order to achieve this the following shell command is necessary:
ADPermission -Identity “OU=DE,DC=mydom,DC=com” -User “MYDOM\DE Mailbox Admins” -AccessRights GenericAll -ChildObjectTypes msExchDynamicDistributionList
The Exchange Management Tools come with a script which integrates the above commands into a single command:
ConfigureSplitPerms.ps1 -user “DE Mailbox Admins” -identity “OU=DE,DC=mydom,DC=com”
Finally, the only remaining permission required in our environment was the delegation of Public Folder administrative rights. Again, the following shell command can be used to delegate these on a public folder and all of its sub-folders:
Get-PublicFolder “\DE\” –recurse | Add-PublicFolderAdministrativePermission -User “DE Mailbox Admins” -AccessRights AllExtendedRights -Inheritance SelfAndChildren
Update 12/01/2010: In order to delegate the “Manage Full Mailbox Access” and “Manage Send As Permissions” use the following ExchangeShell command:
Add-ADPermission -identity (Get-MailboxDatabase “
\ \ “).distinguishedName -user “” -ExtendedRights ms-Exch-Store-Admin