Being local administrator on the Exchange server allows him to do things
like install Exchange service packs and deal with service restarts, etc. In
Exchange 2007, it's extended even more that way ('cuz they got rid of admin
groups, you know).The "Exchange administrator" piece lets him change things in ESM. The read/write in A/D lets him change the objects he has control under. It is a number of security pieces all working together... Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Friday, March 21, 2008 2:28 PM To: NT System Admin Issues Subject: Re: Granting rights to services on a DC, etc. Ah - so, if he's not a local administrator on a remote Exchange box, or the OU in which the objects reside (mailboxes/accounts/DLs/contacts/etc.) hasn't been delegated to him, he can't do anything with them, besides viewing them like any other random user. That's nice. I like that. On Fri, Mar 21, 2008 at 11:23 AM, Michael B. Smith <[EMAIL PROTECTED]> wrote: > He can't modify the active directory attributes on an object that he doesn't > have write access to. :-) > > Yes! That is the paper. > > > Regards, > > Michael B. Smith > MCSE/Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > > Sent: Friday, March 21, 2008 2:16 PM > To: NT System Admin Issues > Subject: Re: Granting rights to services on a DC, etc. > > > > On Fri, Mar 21, 2008 at 10:58 AM, Michael B. Smith > <[EMAIL PROTECTED]> wrote: > > Sorry, it's been a busy couple of weeks. > > > > If you give him (or preferentially, a group that you create and make him > a > > member of) FC on the OU where you want him to be able to do these things, > he > > can make the modifications that he wants, and only affect that OU. There > is > > a white paper, named something like "Exchange 2003 Active Directory > > Permissioning Model" that can tell you the PRECISE rights that must be > > granted, if that is of concern. > > > > Putting the DHCP server service on the Exchange server should be fine, as > > long as he is the admin of both; and that server isn't a DC. He'll need > to > > be a local admin on that box, a member of "Exchange Administrators", and > a > > member of "DHCP Administrators". > > This sounds suspiciously like he'll be able to manage > mailboxes/DLs/contacts on other Exchange servers as well - however, I > think I need to read that paper to find out. > > All answers don't *have* to come from you, Michael, but I do > appreciate what you add to the list. > > Is this what you're referring to? > > "Working with Active Directory Permissions in Microsoft Exchange Server > 2003" > > http://www.microsoft.com/downloads/details.aspx?familyid=0954b157-5add-48b8- > 9657-b95ac5bfe0a2&displaylang=en > > > Thanks! > > Kurt > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
