Thanks,
I was thinking of perhaps a .asp approach, but I like the
idea of letting the RUS do its stuff, so I will give this a few kicks. By
URL to the home MDB I assume you mean this
CN=Mailbox Store 5 (Test-SRV1),CN=Second Storage Group
(Test-SRV1),CN=InformationStore,CN=Test-SRV1,CN=Servers,CN=EC,CN=Administrative
Groups,CN=LAB,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=testlab,DC=local;
?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: May 18, 2005 10:55 AM
To: [email protected]
Subject: RE: [ActiveDir] Least Privilege User Account Provisioning for AD AND Exchange
Depending on what documentation you read, MS does not
support mailbox enabling of users outside of the GUI or CDOEXM interfaces. Both
of which require Exchange View Access.
That being said... Let me tell you how to do it without
Exchange View Access at least on Exchange 2003.
I have found that you truly only need to set a couple of
attributes on a user to get the RUS to kick in and mailbox enable a user. You
have to set mailNickname and one of the following three attributes (homeMTA,
homeMDB, msExchHomeServerName).
The RUS will take it from there.
From the sound of it, you will want to set mailNickname and
homeMDB so you can specify the exact store, note you need to know the URL of the
store, that is what the Exchange View Access is used to figure out.
So short and sweet, delegate
WP mailNickname
WP homeMDB
WP homeMDB
and have at it.
If you fill out those two attributes, the RUS should "kick
in" and mailbox enable the object.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frost, David: #CIO-BPI
Sent: Wednesday, May 18, 2005 10:09 AM
To: [email protected]
Subject: [ActiveDir] Least Privilege User Account Provisioning for AD AND Exchange
I have a scenario I
need to explore where the ability to create and modify the AD user account and
associated Exchange (2003)mailbox creation is delegated out to 1st and 2nd
line service desk personnel. It is not desirable t have 1 and 2 LS staff
using native tools such as ADUC or Exchange System
Manager. I have been able to successfully lock down the AD
account creation permissions and script the process in such a way to reduce the
possibility of data entry errors and provide consistent data.
The sticky issue
comes with the requirement to have the exchange mailbox assigned. It
appears from most of the reading I have done, the users who create the mailbox
enabled user account must be a member of Exchange View-only
Administrators. This is even less desirable than allowing them to use ADUC
or ESM. Then there is the issue of assigning the new user to the correct
Exchange server/storage group/mailbox store to ensure proper
loading.
So My
questions;
Is there a way to
script the creation of a mailbox enabled user account in such a way as to not
use ADUC and/or ESM AND not be a member of Exchange View-only admins? How
to handle the Server/Storage Group/Mailbox Store selection?
Is there a COTS tool
for (simple) account provisioning that a) is "cheap and cheerful", b)
does not require either a full blown meta-directory or connection to an HR
system be implemented (see point a) ; that will allow for service desk
operators to create and manage user accounts?
David
Frost
Directory Engineering - Messaging Directories and
PKI
Industry Canada
(613) 957-8442
email [EMAIL PROTECTED]
