Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
MR&D, Home of Mark Minasi > Categories > Exchange > Permissions on Accounts
 
 


Reply
  Author   Comment  
Phil-n-JaxFL

Avatar / Picture

Grumpy Old Men
Registered:
Posts: 74
Posted Reply with quote  #1 
I have a customer who has several important users and they want only one technician who can set send as and full access on these mailboxes. I cannot find how to do this. 
Anyone have any idea?
Thanks.
__________________
Phil
0
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 69
Posted Reply with quote  #2 
Is that technician the only Exchange administrator?

This is Exchange, correct? What version?

Are there other Exchange admins that the company does NOT want to be able to manage these mailboxes?
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 176
Posted Reply with quote  #3 
Phil,

the complexity of the solution will depend on

1. how many admins of any kind there are
2. how paranoid the customer really is

Basically, on the Exchange side of things and assuming that we are talking at least Exchange 2010 here, you will need to define scoped administrative roles excluding those VIP mailboxes from scope and assign the other tech staff to those roles instead of the default ones. https://technet.microsoft.com/en-us/library/dd298183(v=exchg.150).aspx

But then, there's of course AD to take care of.

1. nobody except for that one trusted person should have the right to put anybody into the default role groups
2. nobody except for that one trusted person should have the right to edit the ACL on those VIP users' accounts (send-As is an AD permission and can be set independently of Exchange, as opposed to Full Access which is an Exchange permission)

So basically, you might have to redo their entire administrative permissions concept in order to fulfill this requirement, depending on how - and by whom - things are being managed now.

FWIW,
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Phil-n-JaxFL

Avatar / Picture

Grumpy Old Men
Registered:
Posts: 74
Posted Reply with quote  #4 
Sorry, it is Exchange 2010 and I already did most of what cj stated.
There are many who have Exchange admin rights, so i'm removing some from that.

Thanks for all the tips!
__________________
Phil
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation: