Because, by default, the AO does not have permissions over Exchange attributes.
These need to be assigned separately. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 10:25 AM To: [email protected] Subject: Re: [ActiveDir] account operators i plan on getting rid of it. my question is really for my own knowldge. if homeMDB and mailNickname are parts of a user attrib and AO has full control on that user by default, why can't they set a mailbox via ADUC? I guess ADUC uses CDOEXM? also, is it a good idea not to use Backup Operators and the other Builtin groups? Thanks On 8/11/05, joe <[EMAIL PROTECTED]> wrote: > Strictly speaking, anyone who has the ability to set mailNickname and > homeMDB can create a mailbox. However... It depends on the tool being used. > Most tools, especially anything that uses CDOEXM or emulates CDOEXM > explicitly, will require Exchange View access to look up the homeMDB URL. If > you use LDIF or admod or anything else that can directly update those > attributes mentioned above, you are good to go. > > That being said, while you are new and making changes, take away account op > rights. It is a pain to clean up later and you run into issues with > adminsdholder when people try to reset each others passwords etc. Acc Ops is > there simply for the migration from NT to AD. After that you should go to > delegated IDs. > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Thursday, August 11, 2005 10:57 AM > To: [email protected] > Subject: Re: [ActiveDir] account operators > > I thought AO had complete rights to the user object which would include > exchange attribs. > i guess they still need rights to the store? > is that it? > thanks > > On 8/11/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > > I expect they lack Exchange View Only Admin permissions (or higher). > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > > Sent: Thursday, August 11, 2005 8:27 AM > > To: activedirectory > > Subject: [ActiveDir] account operators > > > > is there any reason an account operator could create a user but not a > > mailbox for that user? > > > > thanks > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
