If all the users are in the OU "User Accounts" and the domain is domain.local then the command will be this:
Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "OU=User Accounts,DC=domain,DC=local" If you have your users in various OUs, then you will need to repeat the command for each OU. If your domain is three levels, such as domain.co.uk then you would do DC=domain,DC=co,DC=UK If you have your users in the default "Users" container, then the command will be Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=domain,DC=local" If you are confident enough to use adsiedit, then you can see the full path in there, and copy it out. The permissions are now configured at this level because of the changes to the security settings in Exchange 2010. With older versions you set it at a per server or per database level - of course the databases no longer belong to a specific server, so the permissions have to be configured in a different way. Simon. -- Simon Butler MVP: Exchange, MCSE Sembee Ltd. e: [email protected] w: http://www.sembee.co.uk/ w: http://www.amset.info/ w: http://blog.sembee.co.uk/ Need cheap certificates for Exchange, compatible with Windows Mobile 5.0? http://CertificatesForExchange.com/ for certificates from just $23.99. Need a domain for your certificate? http://DomainsForExchange.net/ Exchange Resources: http://exbpa.com/ -----Original Message----- From: Joseph Heaton [mailto:[email protected]] Sent: 15 September 2010 21:35 To: NT System Admin Issues Subject: BES install question Doing pre-installation tasks for BES and Exchange 2010. I've created the BESAdmin mailbox, and I'm now configuring the Exchange 2010 permissions. It's asking me to type one of the following commands within the Exchange Management Shell. I'm not sure what exactly the commands are trying to do, so I'm not sure how to fill in the blanks. Can someone take a look and help me? Do one of the following: a) To set the permissions at the organizational unit level, type Add-ADPermission -InheritedObjectType User - InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Indentity "OU=<organizational unit>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>" where <domain_1>,<domain_2>, and <domain_3> form the name of the domain. b) To set the permissions at the common name level, type Add-ADPermission -InheritedObjectType User - InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Indentity "CN=<common_name>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>" where <domain_1>,<domain_2>, and <domain_3> form the name of the domain. If I'm correct, these commands setup who can Send As the BESAdmin account, correct? The documentation doesn't explain it, and I need to know exactly, so I know what to put in as <organizational unit> or <common_name>. Thanks, Joe Heaton ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
