In Zimbra Open Source Edition.

I have multiple sites, each with one or more domains, that I'm starting to set up - master LDAP (and mta/mailstore/logger) at one site, slave LDAP/mta/mailstore at each remote site. While ideally I'd like to get the Network Edition, the cost is prohibitive.

The biggest feature from NE that I am missing is 'Domain Specific Administrators that don't have access to other domains within the group'. I don't particularly have a problem with admin staff being able to making LDAP level provisioning changes for other sites.

User authentication is done via site-local Active Directory domains.

My only real problem with 'any domain admin being admin for all domains' is the 'view mailbox' function from the admin console. Is there a way to configure Zimbra so that there is no way for an admin user to 'become any other user w/o any authentication' via the admin console? I understand the reason for the function in the first place, and if we had just one domain, it wouldn't matter.

Having said that, users at one site being able to share a mail folder (at a read/write level - as well as sharing address book and calendar) with a user at a different site and domain is exactly the reason for using Zimbra in the master/slave LDAP setup in the first place.

I know we would be able to limit admin viewing other site users email by simply having a standalone Zimbra setup at each location - but then we would not be able to grant read/write access to shared mail folders across locations.