In Today’s post we are going over the process how an administrator can configure a regular account to create recipients in an Exchange Server 2013 organization. During the process we will see some of the new stuff released in this new version and also how the changes impact your environment.
Our scenario will have the user Administrator and a regular user called Anderson and we want to make this new regular user to have rights to create mailboxes in our environment.
Logged as administrator on the Exchange Admin Center (EAC), let’s click on Permissions and then admin roles and let’s double click on Recipient Management
In the new window we will have all roles, scopes of the role group that we are checking the properties. Let’s go to the bottom of the page on Members area and let’s click on Add button and add our regular user (Anderson) to the list and let’s click on Save.
That’s great now our user will have Recipient Management permissions and he will be able to manage recipients in our organization. So, what happened there? Basically, when we assign the user we add him to the Active Directory group Recipient Management
That bring us to some good points: first you can always double check AD groups to make sure that your role groups are having the right users, and you can use scripts or even automation (SCO, System Center Orchestrator) to keep track of any changes in case you have several admins managing your organization.
Note: If the user is already logged on, it is recommended him to sign out of his current session and open it again to refresh the group membership.
Regular user managing recipients…
Now that we have a regular user set it up, we can instruct him to access https://<CAS>/ECP and type in this information.
Because he was assigned a role he won’t have permissions outside of that role group, a good example is that he cannot change or add information on several areas, in the example bellow the user is trying to manage accepted domains
Creating a new user mailbox…
Now, the logged user (Anderson) can go recipients and and a new user mailbox, the first new feature here is the ability to change the OU of the user, let’s click on Browse…
We will see a list of OUs of the domain, let’s select any OU (in our case Porto Alegre) and let’s click on ok.
At the bottom of the new user mailbox page, we need to define the user logon name and a new password. By default the option Require password change on next logon is unchecked, so make sure that you add that to your documentation if that is a requirement for your company.
If you haven’t noticed we do have a More options on the last line before the save button, let’s click on it and for our surprise we will be able to define the Mailbox Database, Archive Database and Address Book Policy (ABP).
If you are looking for more option, don’t worry, just finish up creating the user and get properties of the new user mailbox and everything that you are looking for will be there.
The new user mailbox creation process under the hood…
You may be wonder about the security and what happened when we created the user.. First of all, that is the beauty of the RBAC, if we look at the user creation process the user Anderson does not show up on the Security logs of the DC instead is the Exchange Server. We can retrieve the list from Exchange side but in your Event Viewer the entry will be similar to this one.
Well, if that wasn’t the user what the user Anderson can do it, then? That’s interesting, the regular user Anderson can try to go to Active Directory Users and Computers and create and delete users (even the user that he has just created) and he won’t have access.
However if he uses the EAC to delete user or create users he will be able to.
Which brings us to an interesting point, we can use Exchange as a service from now on, we don’t need everybody logged on the server console creating users, they just need to have access to the web page and that is it.
If you have a larger environment with different teams for Active Directory and Exchange that default setting may not be good, so in your case you can use Active Directory split permissions. I covered this topic in detail at MSExchange.org, here is the link: http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/managing-exchange-server-2010-active-directory-split-permissions.html