He can't modify the active directory attributes on an object that he doesn't have write access to. :-)
Yes! That is the paper. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Friday, March 21, 2008 2:16 PM To: NT System Admin Issues Subject: Re: Granting rights to services on a DC, etc. On Fri, Mar 21, 2008 at 10:58 AM, Michael B. Smith <[EMAIL PROTECTED]> wrote: > Sorry, it's been a busy couple of weeks. > > If you give him (or preferentially, a group that you create and make him a > member of) FC on the OU where you want him to be able to do these things, he > can make the modifications that he wants, and only affect that OU. There is > a white paper, named something like "Exchange 2003 Active Directory > Permissioning Model" that can tell you the PRECISE rights that must be > granted, if that is of concern. > > Putting the DHCP server service on the Exchange server should be fine, as > long as he is the admin of both; and that server isn't a DC. He'll need to > be a local admin on that box, a member of "Exchange Administrators", and a > member of "DHCP Administrators". This sounds suspiciously like he'll be able to manage mailboxes/DLs/contacts on other Exchange servers as well - however, I think I need to read that paper to find out. All answers don't *have* to come from you, Michael, but I do appreciate what you add to the list. Is this what you're referring to? "Working with Active Directory Permissions in Microsoft Exchange Server 2003" http://www.microsoft.com/downloads/details.aspx?familyid=0954b157-5add-48b8- 9657-b95ac5bfe0a2&displaylang=en Thanks! Kurt ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
