Share via


Mail Recipient Creation role

Applies to: Exchange Server 2013

The Mail Recipient Creation management role enables administrators to create mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups in an organization. This role can be combined with the Mail Recipients role to enable the creation and management of recipients. For more information, see Mail Recipients role.

This role doesn't enable you to mail-enable public folders. To mail-enable public folders, the Mail Enabled Public Folders role must be used. For more information, see Mail Enabled Public Folders role.

If your organization maintains a Role Based Access Control (RBAC) split permissions model where recipient creation is performed by a different group than those who perform recipient management, assign the Mail Recipient Creation role to the management role group that performs recipient creation, and the Mail Recipients role to the role group that performs recipient management.

If your organization has enabled Active Directory split permissions, all non-delegating management role assignments to this management role were removed. When Active Directory split permissions is enabled, only Active Directory administrators using Active Directory management tools can create new security principals such as users and security groups.

For more information about RBAC and Active Directory split permissions, see Understanding split permissions.

Additional scope considerations

In addition to recipient scopes, the New-Mailbox cmdlet, which is included with this role, is also scoped using database configuration scopes. Database configuration scopes control which databases the cmdlet can create new mailboxes on. The database where you want to create a mailbox must be within the database scope. This condition applies when you specify a database using the Database parameter on the New-Mailbox cmdlet or if you allow automatic mailbox distribution to select the database for you. For more information, see Understanding management role scopes.

Default management role assignments

This role has role assignments to one or more role assignees. The following table indicates whether the role assignment is regular or delegating, and also indicates the management scopes applied to each assignment. The following list describes each column:

  • Regular assignment: Regular role assignments enable the role assignee to access the permissions provided by the management role entries on this role.
  • Delegating assignment: Delegating role assignments give the role assignee the ability to assign this role to role groups, users, or USGs.
  • Recipient read scope: The recipient read scope determines what recipient objects the role assignee is allowed to read from Active Directory.
  • Recipient write scope: The recipient write scope determines what recipient objects the role assignee is allowed to modify in Active Directory.
  • Configuration read scope: The configuration read scope determines what configuration and server objects the role assignee is allowed to read from Active Directory.
  • Configuration write scope: The configuration write scope determines what organizational and server objects the role assignee is allowed to modify in Active Directory.

Default management role assignments for this role

Role group Regular assignment Delegating assignment Recipient read scope Recipient write scope Configuration read scope Configuration write scope
Organization Management X X Organization Organization OrganizationConfig OrganizationConfig
Recipient Management X Organization Organization OrganizationConfig OrganizationConfig