Setting up
Permissions in AD & Exchange
In order for users to be able to create users,
mail enabled them, or create mailboxes they must be delegated access
in the AD and Exchange. Carry out the following steps in ADU&C to
give permissions to the AD objects:
- Right click on the OU where the template
account exist and where the new accounts should be created and
choose 'Delegate Control'
- Add the user or group of users you want to
be able to create users
- Select the following tasks
- Create, delete, and manage user
accounts
- Read all user information
- Modify the membership of a group
If the template account is a member of groups
outside of the OU that permissions were delegated to above, like
Domain Users for example, users must be given permissions to modify
the membership of those groups. This can be done at the OU level by
following the steps above, but you only need to select 'Modify the
membership of a group'. If you want to do it at the individual
group level do the following:
- In ADU&C click on 'Advanced Features'
under the View menu
'
This option displays hidden OUs, Security tabs, and
other tabs on objects in the AD.
- Right click the group that the template
account is a member of and choose properties
- Click the Security tab
- Click Advanced
- Click Add
- Enter the user or group of uses that
should be able to add users to this group and click OK
- Click the Properties tab
- Check the Allow column for Read Members
and Write members
- Click OK three times to save the security
settings
- Repeat for each group the template account
is a member of, if permissions have not already been delegated
at the OU level
In order to mailbox enabled users in Exchange
the user or group of users must be given Exchange View Only Admin
access to the admin group where the mailbox will be created.
Final Notes
In order to mail enable or mailbox enable new
user accounts Exchange System Manager must be installed on the IIS
server. In addition, anonymous authentication should be disabled on
the directory where CreateUser.asp and DoWork.asp is located.
The CreateUser.asp will work in Firefox if you
change the code under cmdCreate_OnClick and remove the If MsgBox
statement, MsgBox doesn't work on Firefox and I don't know of the
equivalent command. Remove the
If,
Else,
CreateUser.SubmitType.Value = "Abort", and
End If lines to make the form work in Firefox.
The code currently doesn't have any error
handling, this is a high priority on my To-Do list, so if you enter
in a password that doesn't meet your password standards user
creation will fail. To help troubleshoot errors in Internet
Explorer do the following:
- Goto Tool\Internet Options
- Click on Advanced
- Under Browsing unselect 'Show friendly
HTTP error messages'
There is also a creation results page that shows up to confirm
the creation happened correctly. You may want to take this a step
further an send an alert to an admin letting them know a user was
created with the tool or some other other alert.
Lastly, I've created a SharePoint site on my server in hopes of a
collaborated effort with others who would like to add further
features to this page and make the page look better. If you are
interested in helping out or download the code goto:
http://info.izzy.org/Technical/AD%20%20Exchange/ADEAdmin/
| 
