Delegate admin access on Zimbra and remove view mail and change password permission

Posted On November 8, 2017

We had a task of creating domain administrator account for Zimbra but without access to users mail and ability to change password. This is how we got it done. We will be using user tmpadmin and domain contose as an example.

1. Create account with Zimbra zmprov CLI tool

zmprov ca alex@contoso.com "Your password"

2. Run the following command to assign correct permissions.

zmprov ma alex@contoso.com zimbraIsDelegatedAdminAccount TRUE zimbraAdminConsoleUIComponents cartBlancheUI
zmprov grr global usr alex@contoso.com +adminConsoleRights 
zmprov grr global usr alex@contoso.com -adminLoginAs
zmprov grr global usr alex@contoso.com -setAccountPassword

It may be easier to create small shell script to get job done if you have more then one account. In order to run it:

./myscript.sh username passoword

zmprov ca $1 $2
zmprov ma $1 zimbraIsDelegatedAdminAccount TRUE zimbraAdminConsoleUIComponents cartBlancheUI
zmprov grr global usr $1 +adminConsoleRights 
zmprov grr global usr $1 -adminLoginAs
zmprov grr global usr $1 -setAccountPassword

If you need to disable user creation, delete and edit for this account you can add lines below

zmprov grantRight domain "domain" usr "username@domain" -createAccount
zmprov grantRight domain "domain" usr "username@domain" -deleteAccount
zmprov grantRight domain "domain" usr "username@domain" -modifyAccount