How to Use ADSI Edit to Apply Permissions
ADSI Edit acts as a low-level editor for Active Directory. By using ADSI Edit, administrators can view all objects (and associated properties) in the directory (including schema information), modify objects, and set access control lists on objects.
This topic serves as an example for using ADSI Edit. After application of the example in this topic, the "ExAdminGroup" security group can manage e-mail addresses, display names, and move mailboxes for all users contained in the "UsersContainer" organizational unit hierarchy.
Before You Begin
If you use the ADSI Edit snap-in and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows Server 2003, Microsoft Exchange Server 2003, or both. Serious problems may occur if you incorrectly modify Active Directory object attributes. Modify these attributes at your own risk.
To use ADSI Edit for permissioning
Open ADSI Edit, on the Action menu, click Connect To, and then specify the domain where you want to make changes. Click OK.
Expand the Domain Naming Context (Domain NC) hierarchy to the appropriate container: OU=UsersContainer,DC=company,DC=com.
Right-click the container, and then select Properties.
Select the Security Tab, and then click Advanced.
In Advanced Security Settings for Group Name, click Add and then select the group object, Company\ExAdmin Group. Click OK.
In Permission Entry for Users, click the Properties tab, and then select User Objects from the list to change the Apply onto field.
For each of the following property rights, select the Allow permission:
Read Proxy Addresses
Read E-Mail Address
Read Exchange Mailbox Store
Write Proxy Addresses
Write E-Mail Address
Write Exchange Mailbox Store
Read Exchange Home Server
Write Exchange Home Server