Delegating the minimum set of permissions for mailbox-enabled user and linked mailbox provisioning

In my previous post I described the minimum set of permissions required by the ADMA account to provision an AD DS user object.  In this post I’d like to expand on that and provide the minimum set of permissions required to provision a mailbox-enabled user and a linked-mailbox.  As with the previous post I will also cover additional non-essential but expected and required (from an implementation perspective) attributes.

Creating a user

In the previous post I stated that the minimum set of permissions to create an enabled user and delete and move a user are as follows.

Note.  I’m using the DSACLS nomenclature including the inheritance options.  From the DSACLS help:

  • T.  The object and its child objects.
  • S.  The child objects only.
  • P.  The object and child objects down to one level only (propagate inheritable permissions to one level only)
Permission/Access right Object type/ Attribute Inherited object type Inheritance
CC user    
DC user    
CC user organizationalUnit S
DC user organizationalUnit S
Reset Password   user S
WP cn user S
WP distinguishedName user S
WP name user S
WP userAccountControl user S

Those are the core permissions.  You’ll obviously want more permissions than that.  Read the rest of the post for more info.  The purpose of this post is mailbox-enabled users and linked mailboxes.  The next two sections describe the minimum permissions required for creating a mailbox-enabled user and linked mailbox respectively.  Each section is written in isolation, i.e. the linked mailbox section is not dependent on the mailbox-enabled user section, however both sections are dependent on the information written above.

Creating a mailbox-enabled user

To create a mailbox-enabled user we need to write the following additional attributes to the user before we run Update-Recipient and complete the process.

  • homeMDB
  • mailNickname
  • msExchHomeServerName

An optional (from the perspective that the mailbox will created without it) but essential (from the perspective of recommended settings) addition to the list is:

  • mDBUseDefaults

Therefore to grant the permissions to write these attributes we need to add the following ACEs.

Permission/ Access Right Object type/ Attribute Inherited object type Inheritance
WP homeMDB user S
WP mailNickname user S
WP mDBUseDefaults user S
WP msExchHomeServerName user S

Next you need permissions to run the Update-Recipient cmdlet.  The current guidance states that you should add the ADMA account to the Recipient Administrators group however that grants too much access therefore you should create a custom role group as I describe in this post.

Note.

The FIM PG will publish revised documentation on minimum permissions and firewall ports and the advice in this post will align with the information in that documentation refresh.

It is highly likely that you will want to synchronise additional attributes. The previous post defines a bunch of common attributes and describes how to implement the permissions for those attributes.

Creating a linked mailbox

A linked mailbox requires provisioning code.  I don’t think we can create a linked mailbox via declarative provisioning but I might be wrong.  But I digress.  To create a linked mailbox you would use either ExchangeUtils::CreateMailbox(ConnectedMA, ReferenceValue, String, String, Byte[]) or ExchangeUtils::CreateMailbox(ConnectedMA, ReferenceValue, String, String, long, long, long, Byte[]) which sets the following attributes (that we have not yet factored into our permissions list):

  • homeMDB
  • mailNickname
  • mDBUseDefaults
  • msExchHomeServerName
  • msExchMailboxSecurityDescriptor
  • msExchMasterAccountSid
  • nTSecurityDescriptor

The following permissions therefore need to be granted.

Permission/ Access Right Object type/ Attribute Inherited object type Inheritance
WP homeMDB user S
WP mailNickname user S
WP mDBUseDefaults user S
WP msExchHomeServerName user S
WP msExchMailboxSecurityDescriptor user S
WP msExchMasterAccountSid user S
WP nTSecurityDescriptor user S

Next you need permissions to run the Update-Recipient cmdlet. The current guidance states that you should add the ADMA account to the Recipient Administrators group however that grants too much access therefore you should create a custom role group as I describe in this post.

Note.

The FIM PG will publish revised documentation on minimum permissions and firewall ports and the advice in this post will be included in that documentation refresh.

In addition a type of privilege is also required – a user right: SeRestorePrivilege, a.k.a. Restore files and directories.  This user right must be granted to the ADMA account on all domain controllers.  For more information see this post.

Note.

When you provision a linked mailbox you will receive an exported-change-not-reimported error on the subsequent import.  This is because we need to normalise the SD just like AD does.  The registry value ADMADoNormalization turns this feature on however doing so when implementing least privilege will break the export.  More information in this post.  Until the bug is fixed (I have logged it) I am choosing to not enable ADMADoNormalization and instead ignore the exported-change-not-reimported error.

Wrap up

I’ve discussed the additional permissions required for a mailbox-enabled user and a linked mailbox.  I haven’t discussed GAL attributes as they’re covered in the previous post.  If there are other attributes that you need you can now see how to grant access to those attributes.

This post specifically targets Exchange Server 2010.  The permissions are pretty much the same as Exchange Server 2007.  IIRC e2k7 doesn’t require msExchHomeServerName.  Exchange Server 2003 is a little different but the premise is the same.

The import points I want to get across are this:

  1. Endevour to follow the practice of least privilege in all aspects of FIM.  And with the ADMA don’t put up with administrative access!
  2. The “protect this container from accidental deletion” option in 2008+ tools will break move and delete permissions.
  3. Linked mailboxes require SeRestorePrivilege on domain controllers.

Hopefully this helps someone.

Advertisements

About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in Active Directory, FIM, FIM 2010, FIM 2010 R2 and tagged , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

3 Responses to Delegating the minimum set of permissions for mailbox-enabled user and linked mailbox provisioning

  1. Pingback: Forefront Identity Manager 2010 build 4.0.3627.2 released | Yet another identity management blog

  2. Pingback: Forefront Identity Manager 2010 R2 build 4.1.2548.0 released | Yet another identity management blog

  3. Pingback: Note-to-self: Exchange recipient administration rights in ILM/FIM/MIM | Identity Underground

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s