Delegate admin access on Zimbra and remove view mail and change password permission
Posted On November 8, 2017
We had a task of creating domain administrator account for Zimbra but without access to users mail and ability to change password. This is how we got it done. We will be using user tmpadmin and domain contose as an example.
1. Create account with Zimbra zmprov CLI tool
zmprov ca alex@contoso.com "Your password"
2. Run the following command to assign correct permissions.
zmprov ma alex@contoso.com zimbraIsDelegatedAdminAccount TRUE zimbraAdminConsoleUIComponents cartBlancheUI zmprov grr global usr alex@contoso.com +adminConsoleRights zmprov grr global usr alex@contoso.com -adminLoginAs zmprov grr global usr alex@contoso.com -setAccountPassword
It may be easier to create small shell script to get job done if you have more then one account. In order to run it:
./myscript.sh username passoword
zmprov ca $1 $2 zmprov ma $1 zimbraIsDelegatedAdminAccount TRUE zimbraAdminConsoleUIComponents cartBlancheUI zmprov grr global usr $1 +adminConsoleRights zmprov grr global usr $1 -adminLoginAs zmprov grr global usr $1 -setAccountPassword
If you need to disable user creation, delete and edit for this account you can add lines below
zmprov grantRight domain "domain" usr "username@domain" -createAccount zmprov grantRight domain "domain" usr "username@domain" -deleteAccount zmprov grantRight domain "domain" usr "username@domain" -modifyAccount