-
Title
How to deny delegated users to create mailbox for Active Directory users and groups. -
Description
In some cases you would like to delegate your trustee permissions (Access Templates) to create Active Directory users and groups, but you would like to deny them to create a mailbox.
-
Cause
ActiveRoles Server does not have built-in Access Templates that you could use to delegate trustee to perform user and group creation without the ability to establish a n Exchange mailbox.
-
Resolution
WORKAROUND
Create a custom Access Template where you should specify set deny on “edsaIsMsExchangePresent” attribute.
To create such an AT follow steps below:
- Open ActiveRoles Server mmc console and logon as DS Administrator
- Navigate to Configuration/Access Templates and create a new AT right click any container select New | Access Template
- Type AT “Name” and “Description” and press Next
- On Next steps click Add for AT permissions entries
- Select “All object classes” and press Next
- Next step specify “Object property access” and select “Read properties” and “Write properties” checkboxes. On the same steps select “Deny permissions” check box as well and press Next
- On next step select object properties “The following properties” select “edsaIsMsExchangePresent” attribute and press Finish.
- Now you have created a new custom Access Template which can be delegated to your trustee accounts.
NOTE: When this AT delegated to trustee for creating a new user account without having permissions to create a mailbox “Exchange Mailbox AutoProvisioning” policy object MUST be configured and applied to OU where delegated users should create Active Directory users and groups. Exchange Mailbox AutoProvisioning policy object should be configured NOT to create user mailbox by default. How to configure this option, please see below:
- If you already have “Exchange Mailbox AutoProvisioning” Policy Object then open properties and select “Properties” tab.
- Select your configured PO and press View/Edit
- Select “Mailbox Creation” tab and uncheck “Create the user mailbox by default” checkbox.
- Press Ok
- Confirm the changes press Ok.
-
Additional Information
Also refer to SOL32499 on how to clear the checkbox and disable the "Create an Exchange mailbox" option in the New Object creation wizard. How to clear the checkbox and disable the "Create an Exchange mailbox" option (32499) https://support.quest.com/kb/32499