Troubleshooter: Changing Mailbox Rights

How do I give administrators permissions to change mailbox rights for users in particular organizational units (OUs)?

What you're trying to do is difficult, if not impossible. For an administrator to be able to change users' mailbox rights, you need to give the administrator View-only Administrator permission on the administrative group that contains the server on which the mailboxes are homed, as well as Administer Information Store and Write permissions on the databases that contain the mailboxes. The problem is that the necessary permissions involve administrative groups and mailbox databases, neither of which have anything to do with OUs. You can use Microsoft Active Directory Service Interfaces (ADSI) and Collaboration Data Objects for Exchange Management (CDOEXM) to write scripts that change the permissions as necessary, then wrap those scripts with an Active Server Pages (ASP) or ASP.NET front end that checks your administrators' permissions to ensure that they can modify rights for the users in the specified OUs. However, doing so is a lot of work. An alternative is to structure your administrative groups so that they parallel your OUs, but this solution might not be possible.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.