How to Use ADSI Edit to Apply Permissions

  • Article

 

ADSI Edit acts as a low-level editor for Active Directory. By using ADSI Edit, administrators can view all objects (and associated properties) in the directory (including schema information), modify objects, and set access control lists on objects.

This topic serves as an example for using ADSI Edit. After application of the example in this topic, the "ExAdminGroup" security group can manage e-mail addresses, display names, and move mailboxes for all users contained in the "UsersContainer" organizational unit hierarchy.

Before You Begin

If you use the ADSI Edit snap-in and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows Server 2003, Microsoft Exchange Server 2003, or both. Serious problems may occur if you incorrectly modify Active Directory object attributes. Modify these attributes at your own risk.

Procedure

To use ADSI Edit for permissioning

  1. Open ADSI Edit, on the Action menu, click Connect To, and then specify the domain where you want to make changes. Click OK.

  2. Expand the Domain Naming Context (Domain NC) hierarchy to the appropriate container: OU=UsersContainer,DC=company,DC=com.

  3. Right-click the container, and then select Properties.

  4. Select the Security Tab, and then click Advanced.

  5. In Advanced Security Settings for Group Name, click Add and then select the group object, Company\ExAdmin Group. Click OK.

  6. In Permission Entry for Users, click the Properties tab, and then select User Objects from the list to change the Apply onto field.

  7. For each of the following property rights, select the Allow permission:

    • Read Proxy Addresses

    • Read msExchPoliciesExcluded

    • Read E-Mail Address

    • Read textEncodedORAddress

    • Read displayName

    • Read Exchange Mailbox Store

    • Read targetAddress

    • Read homeMTA

    • Write Proxy Addresses

    • Write msExchPoliciesExcluded

    • Write E-Mail Address

    • Write textEncodedORAddress

    • Write displayName

    • Write Exchange Mailbox Store

    • Read Exchange Home Server

    • Write Exchange Home Server

    • Write targetAddress

    • Write homeMTA

  8. Click OK.