In some cases you would like to delegate your trustee permissions (Access Templates) to create Active Directory users and groups, but you would like to deny them to create a mailbox.
ActiveRoles Server does not have built-in Access Templates that you could use to delegate trustee to perform user and group creation without the ability to establish a n Exchange mailbox.
WORKAROUND
Create a custom Access Template where you should specify set deny on “edsaIsMsExchangePresent” attribute.
To create such an AT follow steps below:
NOTE: When this AT delegated to trustee for creating a new user account without having permissions to create a mailbox “Exchange Mailbox AutoProvisioning” policy object MUST be configured and applied to OU where delegated users should create Active Directory users and groups. Exchange Mailbox AutoProvisioning policy object should be configured NOT to create user mailbox by default. How to configure this option, please see below:
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy