RE: [ActiveDir] Delegate disable/enable user accounts

[joe]

I agree that you can't delete mailboxes with WP to userAccountControl. However you don't need store access to delete mailboxes, or more accurately to disconnect them. You do need store access (admin rights on the Exchange server) to purge a mailbox.   To delegate deletion of mailboxes you simply delegate WP to the list of all Exchange attributes that can be applied to a user object. While the GUI/CDOEXM may give you crap about it a simple LDAP write will work (which is what ExchMbx uses for the -clear option).   You also don't need store or Exchange Admin (any level rights) to create a mailbox, having access to about 2 attributes in AD is all that is required. But again, GUI/CDOEXM will complain. The next version of ExchMbx should have that functionality implemented to work with only those two attributes being delegated.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, December 06, 2005 10:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate disable/enable user accounts No, useraccountcontrol mainly holds the fields you see in the checkboxes of the account tab, such as logon with smardcard, must not change password a.s.o.   You can not delegate deletion of mailboxes in AD only, you also need to give rights in the exchange store as well.   Gruesse - Sincerely, Ulf B. Simon-Weidner   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz   Weblog: http://msmvps.org/UlfBSimonWeidner   Website: http://www.windowsserverfaq.org   Profile:   http://mvp.support.microsoft.com/profile="">    From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, December 06, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate disable/enable user accounts   Man, read/write to  useraccountcontrol seems to enable  a user to delete a mailbox too.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 06, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate disable/enable user accounts   read/write permission on the useraccountcontrol attribute of the user object.   HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want   Cheers, Jorge   Van: [EMAIL PROTECTED] namens Douglas M. Long Verzonden: di 6-12-2005 14:19 Aan: ActiveDir@mail.activedir.org Onderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing me…or rather me failing google This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.