How to Apply Permissions
There are several ways to apply permissions. Microsoft provides two tools: ADSI Edit (AdsiEdit.msc) and DSACLS (Dsacls.exe). Both tools are included on the Windows Server 2003 CD in Support\Tools. Several third-party products exist that can also be used to apply these rights.
Note
Incorrectly modifying the attributes of Active Directory objects by using ADSI Edit, DSACLS, the LDP tool (ldp.exe), or any other LDAP (Lightweight Directory Access Protocol) version 3 clients can cause serious problems. These problems may require reinstallation of Windows Server, Exchange Server, or both. Problems that occur if Active Directory object attributes are incorrectly modified may not be resolved. Modify these attributes at your own risk.
Changing permissions in the domain naming context requires Domain Admin rights on the object for which permissions are wanted.
Consider this example that shows how either one of the tools can be used to delegate certain rights to Exchange Administrators. This example can be used as a sample for application of delegated rights over users, contacts, and groups.
Exchange Administrators in the universal security group "ExAdminGroup" require the ability to manage e-mail addresses, the display name, and to move mailboxes for all users located in (and below) the organizational unit "UsersContainer" in the "company.com" domain. This example assumes "ExAdminGroup" has "Exchange Administrator Role" in the source and destination administrative groups. The examples show how to apply rights on the UsersContainer by specifying read and/or write access on the following attributes within the UsersContainer:
displayName
E-Mail Address (mail)
homeMDB
homeMTA
msExchHomeServerName
msExchPoliciesExcluded
Proxy Addresses (proxyAddresses)
targetAddress
textEncodedORAddress