Active Directory management & automation

Grant Permissions to Perform Exchange Tasks

Using Security Roles, you can granularly define which Exchange tasks you want to delegate to which users, and specify the scope on which they can perform the delegated tasks. For example, you can allow your Help Desk staff to only set Out-of-Office Replies for users who are members of a specific group.

In this tutorial you will learn how to create and assign a Security Role to grant permissions for performing Exchange operations.

Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role. The Create Security Role wizard will open.

Launching the Create Security Role wizard

Enter a name for the new Role and click Next.
Here you need to specify the permissions for the new Role. Click Add.

Adding Permissions

In the list of object types, to which permissions are applied, select:
  • User if you want to delegate permissions for mailboxes or mail-enabled users,
  • Group if you want to delegate permissions for mail-enabled groups,
  • Contact if you want to delegate permissions for mail-enabled contacts.

Specifying User Object Type

In the General permissions section:
  • Type Exch in the filter edit box to filter out permissions unrelated to Exchange.
  • Check the permission you need in the Allow or Deny column.

Granting the Permission to Move Mailboxes

Permissions for Exchange Properties

  • To grant the permission to modify all Exchange properties, select the Write All Properties (Exchange) permission in the Allow column.

    Granting the Permission to Modify All Exchange Properties
  • To grant the permission to modify a specific section of Exchange properties, select the Allow column for the section. For example, to allow modification of the Automatic Replies (OOF) section, select Write Automatic Replies (Exchange).

    Granting the Permission to Modify Automatic Replies
  • To grant the permission to modify a specific Exchange property:
    • Check the Show all properties option located under the Property-specific permissions list.
    • Select the Allow column for the property you need.
    Granting the Permission to Modify a Specific Exchange Property
    The following tables show which AD object property corresponds to which Exchange property:

    General

    Parameter Property Name
    Exchange Alias Exchange Alias
    Simple Display Name Simple Display Name
    Hide from address lists ms-Exch-Hide-From-Address-Lists
    Use MAPI Rich Text Format ms-Exch-MAPI-Recipient
    Set expansion server ms-Exch-Expansion-Server-Name
    Send out-of-office message to originator ms-Exch-OOF-Reply-To-Originator
    Delivery reports ms-Exch-OOF-Report-To-Owner,
    ms-Exch-OOF-Report-To-Originator
    Custom Attributes Extension Attribute 1 ... Extension Attribute 15

    Storage Quotas

    Parameter Property Name
    Use mailbox database defaults ms-Exch-MDB-Use-Defaults
    Issue warning at ms-Exch-MDB-Storage-Quota
    Prohibit send at ms-Exch-MDB-Over-Quota-Limit
    Prohibit send and receive at ms-Exch-MDB-Over-Hard-Quota-Limit
    Deleted item retention ms-Exch-Deleted-Item-Flags
    Keep deleted items for (number of days) Garbage-Coll-Period

    Email Address

    Parameter Property Name
    Email Addresses Email Proxy Addresses
    Automatically update e-mail addresses based on e-mail address policy MsExchEmailAddressPolicyEnabled

    Mailbox Features

    Policies

    Parameter Property Name
    Sharing policy ms-Exch-Sharing-Policy-Link
    Role Assignment policy ms-Exch-RBAC-Policy-Link
    Retention policy,
    Managed Folder policy
    ms-Exch-Mailbox-Template-Link
    Address Book policy ms-Exch-Address-Book-Policy-Link

    Features

    Unified Messaging

    Parameter Property Name
    Enabled/Disabled MsExchUMEnabled
    Reset PIN MsExchUMResetPinParams
    UM mailbox policy ms-Exch-UM-Template-Link
    Personal operator extension ms-Exch-UM-Operator-Number
    Additional UM extensions MsExchUMExtentions
    Enable for Automatic Speech Recognition MsExchUMAutoSpeechRecognitionEnabled
    Allow UM calls from non-users ms-Exch-UM-List-In-Directory-Search
    Allow users to receive faxes MsExchUMFaxEnabled
    Allow divert calls without caller ID to leave message MsExchUMAnonymousCanLeaveMessages
    Allow users to configure call answering rules MsExchUMCallAnswerRulesEnabled

    Exchange Active Sync

    Parameter Property Name
    Enabled/Disabled MsExchActiveSyncEnabled
    Mobile device mailbox policy ms-Exch-Mobile-Mailbox-Policy-Link

    Outlook Web App

    Parameter Property Name
    Enabled/Disabled MsExchOwaEnabled
    Outlook Web App mailbox policy ms-Exch-OWA-Policy

    IMAP

    Parameter Property Name
    Enabled/Disabled MsExchImapEnabled
    Use protocol defaults MsExchImapUseProtocolDefaults
    Message retrieval format MsExchImapMsgRetrievalMimeFormat

    POP3

    Parameter Property Name
    Enabled/Disabled MsExchPop3Enabled
    Use protocol defaults MsExchPop3UseProtocolDefaults
    Message retrieval format MsExchPop3MsgRetrievalMimeFormat

    MAPI

    Parameter Property Name
    Enabled/Disabled MsExchMapiEnabled

    Retention Hold

    Parameter Property Name
    Enabled/Disabled MsExchRetentionHoldEnabled
    Start date Retention Hold Start Date
    End date Retention Hold End Date

    Litigation Hold

    Parameter Property Name
    Enabled/Disabled MsExchLitigationHoldEnabled
    Note ms-Exch-Retention-Comment
    URL ms-Exch-Retention-URL

    Archiving

    Parameter Property Name
    Enabled/Disabled MsExchArchiveEnabled
    Archive database ms-Exch-Archive-Name
    Quota value ms-Exch-Archive-Quota
    Issue warning at ms-Exch-Archive-Warn-Quota

    Outlook Mobile Access (Exchange 2003 only)

    Parameter Property Name
    Enabled/Disabled MsExchOmaEnabled

    User Initiated Synchronization (Exchange 2003 only)

    Parameter Property Name
    Enabled/Disabled MsExchUisEnabled

    Up-to-date Notifications (Exchange 2003 only)

    Parameter Property Name
    Enabled/Disabled MsExchUdnEnabled

    Mail Flow

    Delivery Options

    Parameter Property Name
    Forward to Forward To
    Deliver message to both forwarding address and mailbox ms-Exch-Deliver-And-Redirect
    Maximum recipients ms-Exch-Recip-Limit

    Message Size Restrictions

    Parameter Property Name
    Sending message size ms-Exch-Submission-Cont-Length
    Receiving message size ms-Exch-Deliv-Cont-Length

    Message Delivery Restrictions

    Parameter Property Name
    Accept Messages From ms-Exch-RequireAuthToSendTo (Only senders inside my organization)
    ms-Exch-Auth-Orig (List of senders to accept messages from)
    Reject Messages From ms-Exch-Unauth-Orig

    Mail Flow Settings

    Message Size Restrictions

    Parameter Property Name
    Sending message size ms-Exch-Submission-Cont-Length
    Receiving message size ms-Exch-Deliv-Cont-Length

    Message Delivery Restrictions

    Parameter Property Name
    Accept Messages From ms-Exch-RequireAuthToSendTo (Only senders inside my organization)
    ms-Exch-Auth-Orig (List of senders to accept messages from)
    Reject Messages From ms-Exch-Unauth-Orig

    Delivery Management

    Parameter Property Name
    Accept Messages From ms-Exch-RequireAuthToSendTo (Only senders inside my organization)
    ms-Exch-Auth-Orig (List of senders to accept messages from)
    Reject Messages From ms-Exch-Unauth-Orig

    Message Approval

    Parameter Property Name
    Messages sent to this group have to be approved by a moderator ms-Exch-Enable-Moderation
    Moderators ms-Exch-Moderated-By-Link
    Senders who don't require message approval ms-Exch-Bypass-Moderation-Link
    Notifications ms-Exch-Moderation-Flags

    Calendar Settings

    Parameter Property Name
    Calendar Settings MsExchMailboxCalendarSettings

    MailTip

    Parameter Property Name
    MailTip MailTip

    Delegation

    Parameter Property Name
    Send As MsExchSendAs
    Send on Behalf ms-Exch-Public-Delegates
    Mailbox Rights ms-Exch-Mailbox-Security-Descriptor

    Automatic Replies (OOF)

    Parameter Property Name
    Auto-Reply Configuration MsExchMailboxAutoReplyConfiguration
When done, click OK and then click Next.

Here, at the Assign Role page, you need to specify the users or groups to which you want to delegate the permissions to perform Exchange tasks.
  • To assign the new Role to a specific user or group, select the necessary user or group in the list of available trustees. Role assignments
    To quickly find a user or group, type its name in the search field and click the button.
  • To grant managers the rights to perform Exchange tasks on their team members, select Manager. A user's manager is specified in the Manager property of the user account.

    Assign role to managers
    If you change the manager for a user, the previous manager will lose, and the new manager will gain the rights granted by the Role.

  • In Active Directory, you can assign an owner for each mail-enabled group. The owner is specified in the Managed By property of a group. To allow owners of mail-enabled groups to perform Exchange tasks on their groups, select Owner (Managed By).

    Assign role to group owners
    If you change the owner of a group, the previous owner will lose, and the new owner will gain the rights granted by the Role.

When done, click Assign.

In the Role Activity Scope dialog that opens, you need to select where the specified users or groups will be able to apply the permissions granted by the Security Role.

You can select the following items:
  • All Objects - select if you want to grant the permissions to perform the specified Exchange tasks on all mailboxes, mail-enabled users, contacts, and groups in any AD domain managed by Adaxes.
  • Specific Domain - select a specific AD domain to grant the permissions to perform the specified Exchange tasks on all Exchange accounts and distribution lists in the AD domain you specify. If you select a domain, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    Select All objects in this Domain. It means that permissions granted by the Role will be applied to all mailboxes, mail-enabled users, contacts, and groups in the selected domain. Click OK.

    Assignment Options for a Specific Domain

  • OU or Container - select a specific Organizational Unit or container to grant permissions to perform the specified Exchange tasks on all mailboxes, mail-enabled users, contacts, and groups in the OU or container you specify. If you select an OU or container, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    To grant permissions to perform the specified Exchange tasks on all Exchange accounts and distribution lists under the selected OU at any nesting level, click Child objects of this Organizational-Unit. To allow performing the specified Exchange tasks only on direct children of the selected OU, check also Immediate child objects only.

    Assignment Options for an OU or Container

  • Group - select a specific group to grant permissions to perform the specified Exchange tasks on the selected group and/or on all Exchange accounts and distribution lists that are members of the selected group. If you select a group, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    • To allow applying the specified permissions to the selected group, select This Group object.
    • To allow applying the permissions to any member of the selected group, select Members of this Group.
    • To allow applying the specified permissions to direct group members only, check also Direct members only.
    Click OK.

    Assignment Options for a Group object

  • Business Unit - select a Business Unit to grant permissions to perform the specified Exchange tasks on all mailboxes, mail-enabled users, contacts, and groups that are members of a specific Business Unit. To view available Business Units, select the Business Units item in the Look in drop-down list.

    Viewing Business Units

    If you select a Business Unit, you will need to specify the assignment scope in the Assignment Options dialog.

    Assignment Options

    In this case, the only applicable option is Members of this Business Unit. It means that the new Role permissions will be applied to all Exchange accounts and distribution lists that are the members of the selected Business Unit. Select this option and click OK.

    Assignment Options


Select the object you need and click Add. When finished, click OK.
Distribution of permissions with the help of Security Roles does not modify native Active Directory permissions. This means that users or groups to whom the Security Role is assigned will not be able to apply the permissions granted by the Role outside of Adaxes.
? Waiting

Progress status: Checking...