Phil-n-JaxFL
Grumpy Old Men
Registered:1451933769 Posts: 87
Posted 1471003053
Reply with quote
#1
I have a customer who has several important users and they want only one technician who can set send as and full access on these mailboxes. I cannot find how to do this. Anyone have any idea? Thanks.
__________________Phil
DM-AVAL
New Friend (or an Old Friend who Built a New Account)
Registered:1452043080 Posts: 79
Posted 1471009197
Reply with quote
#2
Is that technician the only Exchange administrator? This is Exchange, correct? What version? Are there other Exchange admins that the company does NOT want to be able to manage these mailboxes?
cj_berlin
Senior Member
Registered:1451592353 Posts: 268
Posted 1471016076
· Edited
Reply with quote
#3
Phil, the complexity of the solution will depend on 1. how many admins of any kind there are 2. how paranoid the customer really is Basically, on the Exchange side of things and assuming that we are talking at least Exchange 2010 here, you will need to define scoped administrative roles excluding those VIP mailboxes from scope and assign the other tech staff to those roles instead of the default ones. https://technet.microsoft.com/en-us/library/dd298183(v=exchg.150).aspx But then, there's of course AD to take care of. 1. nobody except for that one trusted person should have the right to put anybody into the default role groups 2. nobody except for that one trusted person should have the right to edit the ACL on those VIP users' accounts (send-As is an AD permission and can be set independently of Exchange, as opposed to Full Access which is an Exchange permission) So basically, you might have to redo their entire administrative permissions concept in order to fulfill this requirement, depending on how - and by whom - things are being managed now. FWIW,
__________________ Evgenij Smirnov My personal blog (German): http://www.it-pro-berlin.de/ My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
Phil-n-JaxFL
Grumpy Old Men
Registered:1451933769 Posts: 87
Posted 1471038286
Reply with quote
#4
Sorry, it is Exchange 2010 and I already did most of what cj stated. There are many who have Exchange admin rights, so i'm removing some from that. Thanks for all the tips!
__________________Phil