Granting Exchange 2007 Rights via ADSI Edit

ADSI Edit (AdsiEdit.msc) is a Microsoft Windows Server tool that you can use to view and edit raw Active Directory service attributes through the Active Directory Services Interfaces (ADSI) protocol.  ADSI Edit is suitable for editing a single object or a small number of objects in Active Directory.  Check out http://technet.microsoft.com/en-us/library/cc773354(WS.10).aspx for detailed information about ADSI Edit.

WARNING:  ADSI Edit is a very powerful utility that should be used with extreme caution.  Lucid8 is providing the information herein as sample reference material as a courtesy and does not recommend or warrant the use of ADSI Edit.  If you use the ADSI Edit snap-in to make modifications and incorrectly modify the attributes of Active Directory objects, you can cause serious problems.  If you choose to utilize ADSI Edit to modify attributes of objects within Active Directory you do so at your own risk.

NOTE:  DigiScope® Operators can not be part of any Administrative group since all Administrative users and groups include Explicit Deny rights in order to limit database and mailbox access for Exchange 2007.  We suggest that you create and assign the required rights to a special DigiScope® Operators group so that users can be easily added and removed thereafter.

NOTE:  The steps outlined here only apply to Exchange 2007.  The introduction of Role-Based Access Control (RBAC) for later versions of Exchange makes the use of ADSI Edit unfeasible on those other versions of Exchange.

The steps below outline the process to grant the groups or users the required rights for the DigiScope® Operator via ADSI Edit.

Granting Rights to the DSAdministrators Group via ADSI Edit
  1. Open ADSI Edit.

    NOTE: If you do not have ADSI Edit installed, you may download it from Microsoft.

  2. Connect to Configuration.

  3. Expand out to Configuration\Services\Microsoft Exchange\First Organization.

    ADSIEDIT_2K7.png

  4. Right-click on CN=First Organization.

  5. Select Properties.

  6. The First Organization Properties dialog appears as shown below.

    First_Organization_Properties_2K7.png

  7. Select the Security tab.

  8. Click the Advanced button located at the bottom right of the dialog.

  9. Click the Add... button, the Select Users, Computers or Groups dialog appears as shown below.

    image1.gif

  10. Type in the name of DSAdministrators group.

  11. Click the Check Names button.

  12. When you are done adding groups / users, click the OK button.

  13. The selected group / user appears highlighted within the Permission Entry dialog.

    FO_Permission_Entry.png

  14. Ensure the Apply onto: field is set to This object and all child objects.

  15. Leave the check box for Apply these permissions... unchecked.

  16. Set the following permissions to Allow:

  17. Click OK, the Permission Entry Warning dialog appears.

    FO_Permission_Warning.png

  18. After reviewing the Warning dialog, click Yes.

  19. Click OK to complete the changes to Active Directory.

    NOTE:  It can take up to 24 hours to replicate the changes through Active Directory.  For immediate results either force replication on Active Directory or restart the Microsoft Exchange Information Store service.


Continue to Exchange Maximum Allowed Sessions Per User