DOCUMENT:Q283271 17-JUN-2002 [exchange] TITLE :XADM: How to Give Users Permissions to Create Mail-Enabled Users PRODUCT :Microsoft Exchange PROD/VER::2000,5.5 SP3,5.5 SP4 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Exchange Server, versions 5.5 SP3, 5.5 SP4 - Microsoft Windows 2000 Server ------------------------------------------------------------------------------- SUMMARY ======= This article describes how to give a user or designated group of users the minimum permissions to create a mail-enabled user account in Active Directory. NOTE: This article describes how to change permissions in the Windows 2000 version of the Active Directory Connector (ADC) only. MORE INFORMATION ================ To complete the procedures described in this section, you must have a functioning two-way Connection Agreement between the Exchange Server 5.5 computer and Windows 2000 Active Directory. First, give the user or group read-only permissions on the Microsoft Exchange container: 1. Log on as a domain administrator, and then start the Active Directory Sites and Services snap-in. 2. Click Show Services on the View menu. 3. Click to expand Services, and then click Microsoft Exchange. 4. Open the properties of the Microsoft Exchange object, and then click the Security tab. 5. Click Add, click the user or group that you want to give permissions to, click OK, and then click OK. Next, give the user or group the appropriate permissions to access the Active Directory Connections container: 1. Open the properties of the Active Directory Connections container. 2. Click the Security tab, click Add, click the user or group that you gave read-only permissions to in the preceding procedure, and then click OK. 3. Click Advanced on the Security tab. 4. Find the user or group that you gave read-only permissions to, click View/Edit, and then click "This object and all child objects" in the Apply Onto box. 5. Click OK, click OK, and then click OK. Finally, make the user or group a member of the Account Operators Built-in group so that they can create user accounts: 1. Start the Active Directory Users and Computers snap-in. 2. Click to expand your domain, and then click the Built-in container. 3. Double-click the Account Operators group, and then click the Members tab. 4. Click Add, click the user or group that you want to make a member of this group, click OK, and then click OK. Additional query words: ADC AD win2k ====================================================================== Keywords : Technology : kbwin2000Serv kbwin2000ServSearch kbwin2000Search kbExchangeSearch kbZNotKeyword2 kbExchange550SP3 kbExchange550SP4 Version : :2000,5.5 SP3,5.5 SP4 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.