How to allow people who aren't members of the Organization Management role group to install Exchange?

 

Delegate the installation of an Exchange 2016 server

 

How to allow people who aren't members of the Organization Management role group to install Exchange?

An Exchange administrator can provision a new server in Active Directory hours or even days before Exchange is installed on the new computer. After a server has been provisioned, the person doing the installation needs only to be a member of the Delegated Setup role group to install Exchange.

The Delegated Setup role group only allows members to install provisioned servers.

Normally, when Exchange is installed, the people installing Exchange need to be members of the Organization Management role group.

This is because when Exchange is installed, changes are made to Active Directory, and only Exchange administrators, who are members of the Organization Management role group, can make those changes. The following list shows the changes that are made:

·         A server object is created in the CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Root Domain> configuration partition.

 

·         The following access control entries (ACEs) are added to the server object within the configuration partition for the Delegated Setup role group:

 

o    Full Control on the server object and its child objects

o    Deny access control entry for the Send As extended right

o    Deny access control entry for the Receive As extended right

o    Deny CreateChild and DeleteChild permissions for Exchange Public Folder Store objects

 

NOTE: Public folders are administered at an organizational level; therefore, the creation and deletion of public folder stores is restricted to Exchange administrators.

 

·         The Active Directory computer account for the server is added to the Exchange Servers group.

·         The server is added as a provisioned server in the Exchange Admin Center.

 

Keep the following in mind:

·         At least one Exchange 2016 server has to already be installed before you can delegate the installation of additional servers. The person who installs the first server needs to be an Exchange administrator.

·         A delegated user can't uninstall an Exchange server. To uninstall an Exchange server, you need to be an Exchange administrator.

 

To provision a server for Exchange, you need to use Exchange 2016 command-line Setup.

 

The command that you need to use to provision the server depends on whether you're running Setup from the computer you're provisioning or whether you're running it from another computer. Choose the command in the following steps that matches where you're running Setup:

 

·         Press the Windows key + 'R' to open the Run window.

 

·         In Open, typecmd.exe, and then press Enter to open a Windows Command Prompt.

 

CD "C:\Downloads\Exchange 2016"

 

Choose the command that matches where you're running Setup:

 

  • If you're running Setup on the computer that's being provisioned, run the following command:

 

  • Setup.exe /NewProvisionedServer /IAcceptExchangeServerLicenseTerms

 

  • If you're running Setup on another computer, run the following command:

Setup.exe /NewProvisionedServer:<ComputerName> /IAcceptExchangeServerLicenseTerms

 

 

Make sure to add user who is going to install the Exchange to Delegated Setup group and Local Admin Group on the server.

 

 

Now Delegated user should be able to install Exchange Server.

https://technet.microsoft.com/en-us/library/bb201741(v=exchg.160).aspx

 

Below is the screen shot while the unattached user instating the Exchange Server, we can see in the screenshot Perquisites Analysis completed successfully.

 

Comments