Most Exchange information is stored in Active Directory.
You can use the features of Active Directory to manage these standard
permissions across the Exchange organization.
Assigning Exchange Server Permissions to Users, Contacts, and Groups
Users, contacts, and groups are represented in Active Directory as
objects. These objects have many attributes that determine how they are
used. The most important attributes are the permissions assigned to the object. Permissions
grant or deny access to objects and resources. For example, you can
grant a user the right to create public folders but deny that same user
the right to view the status of the information store.
Permissions
assigned to an object can be applied directly to the object, or they
can be inherited from another object. Generally, objects inherit permissions from parent objects.
A parent object is an object that is above another object in the object
hierarchy. However, you can override inheritance. One way to do this is
to assign permissions directly to an object. Another way is to specify that an object shouldn't inherit permissions.
In Exchange Server 2010, permissions are inherited through the organizational hierarchy. The root of the hierarchy is the Organization node.
All other nodes in the tree inherit the Exchange permissions of this
node. For example, the permissions on the Recipient Configuration node
are inherited from the Organization node.
For the management of Exchange information and servers, Exchange Server 2010 uses several predefined groups. These predefined
security groups have permissions to manage Exchange organization,
Exchange server, and Exchange recipient data in Active Directory. In
Active Directory Users And Computers, you can view and work with the
Exchange-related groups using the Microsoft Exchange Security Groups node. (See Figure 1.)
Tip
In Active Directory Users
And Computers, there's a hidden container of Exchange objects called
Microsoft Exchange System Objects. You can display this container by
selecting Advanced Features on the View menu.
Understanding the Exchange Management Groups
Table 1 lists predefined
groups created in Active Directory for Exchange Server 2010. As the
table shows, each group has a slightly different usage and purpose.
Several of the groups are used by Exchange servers. These groups are
Exchange Servers, Exchange Trusted Subsystem, Exchange Windows Permissions, and ExchangeLegacyInterop. As indicated in the table, you use the other groups for role-based access control and assigning management permissions.
Note
Exchange 2003 and Exchange 2007 use a different set of security groups for managing Exchange permissions. If you want a user or group that had permissions
in Exchange 2003 or Exchange 2007 to have permission in Exchange 2010,
you need to configure the appropriate Exchange 2010 permissions for that user or group.
Table 1. Security Groups Created for Exchange
|
GROUP |
GROUP TYPE |
DESCRIPTION |
ROLE GROUP |
|---|
|
Delegated Setup |
Universal Security Group |
Members of this group have permission to install and uninstall Exchange on provisioned servers. |
Yes |
|
Discovery Management |
Universal Security Group |
Members of this group can perform mailbox searches for data that meets specific criteria. |
Yes |
|
Exchange All Hosted Organizations |
Global Security Group |
Members of this group include hosted organization mailbox groups.
This group is used to apply Password Setting objects to all hosted
mailboxes. |
No |
|
Exchange Install Domain Servers |
Global Security Group |
Members of this group include domain controllers on which Exchange
Server is installed. You can see this group only when you select View
and then click Advanced Features in Active Directory Users And
Computers. |
No |
|
Exchange Servers |
Universal Security Group |
Members of this group are Exchange servers in the organization. This
group allows Exchange servers to work together. By default, all
computers running Exchange Server 2010 are members of this group; you
should not change this setup. |
No |
|
Exchange Trusted Subsystem |
Universal Security Group |
Members of this group are Exchange servers that run Exchange cmdlets using Windows Remote Management
(WinRM). Members of this group have permission to read and modify all
Exchange configuration settings as well as user accounts and groups. |
No |
|
Exchange Windows Permissions |
Universal Security Group |
Members of this group are Exchange servers that run Exchange cmdlets
using WinRM. Members of this group have permission to read and modify
user accounts and groups. |
No |
|
ExchangeLegacyInterop |
Universal Security Group |
Members of this group are granted send-to and receive-from permissions,
which are necessary for routing group connections between Exchange
Server 2010 and Exchange Server 2003. Exchange Server 2003 bridgehead
servers must be made members of this group to allow proper mail flow in
the organization.
|
No |
|
Help Desk |
Universal Security Group |
Members of this group can view any property or object within the Exchange organization and have limited management permissions. |
Yes |
|
Hygiene Management |
Universal Security Group |
Members of this group can manage the antispam and antivirus features of Exchange. |
Yes |
|
Organization Management |
Universal Security Group |
Members of this group have full access to all Exchange properties and objects in the Exchange organization. |
Yes |
|
Public Folder Management |
Universal Security Group |
Members of this group can manage public folders and perform most public folder management operations. |
Yes |
|
Recipient Management |
Universal Security Group |
Members of this group have permissions to modify Exchange user
attributes in Active Directory and perform most mailbox operations. |
Yes |
|
Records Management |
Universal Security Group |
Members of this group can manage compliance features, including
retention policies, message classifications, and transport rules. |
Yes |
|
Server Management |
Universal Security Group |
Members of this group can manage all Exchange servers in the
organization but do not have permission to perform global operations. |
Yes |
|
UM Management |
Universal Security Group |
Members of this group can manage all aspects of unified messaging
(UM), including Unified Messaging server configuration and UM recipient
configuration. |
Yes |
|
View-Only Organization Management |
Universal Security Group |
Members of this group have read-only access to the entire Exchange
organization tree in the Active Directory configuration container and
read-only access to all the Windows domain containers that have Exchange recipients. |
Yes |
When working with Exchange-related groups, be sure to keep in mind that Organization Management grants the widest set of Exchange management permissions possible. Members of this group can perform any Exchange
management task, including organization, server, and recipient
management. Members of the Recipient Management group, on the other
hand, can manage only recipient information, and Public Folder
Management can manage only public folder information. View-Only
Organization Management can view Exchange organization, server, and
recipient information, but this group cannot manage any aspects of
Exchange.
Table 2 provides an overview of the default
group membership for the Exchange groups. Membership in a particular
group grants the member the permissions of the group. Exchange groups
that aren't listed don't have any default members or membership.
Table 2. Default Membership for Exchange Security Groups
|
GROUP |
MEMBERS |
MEMBER OF |
|---|
|
Exchange Install Domain Servers |
Individual Exchange servers |
Exchange Servers |
|
Exchange Servers |
Exchange Install Domain Servers, individual Exchange servers |
Windows Authorization Access Group |
|
Exchange Trusted Subsystem |
Individual Exchange servers |
Exchange Windows Permissions |
|
Exchange Windows Permissions |
Exchange Trusted Subsystem |
n/a |
