IT tutorials
 
Technology
 

Administering an Exchange Server 2007 Environment : Exchange Administrator Roles in Exchange Server 2007

10/9/2013 3:52:33 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

As with previous versions of Exchange, the ability to administer an Exchange Server 2007 environment is based on permissions. Earlier versions like Exchange Server 2003 based its security around the concept of Exchange roles. These three Exchange roles were basically security groups that were granted specific administrative permissions in the Exchange environment, and were easily configured using the Delegation Wizard:

  • Exchange Full Administrator

  • Exchange Administrator

  • Exchange View Only Administrator

However, this model had some limitations. The Exchange Administrator group was too large, and many organizations wanted the ability to manage their security and permissions model at the individual server level.

In addition, there was no clear differentiation between administrators of users and groups by the Active Directory administrators and the Exchange recipient administrators. Exchange administrators had to be granted a very high level of permissions in Active Directory to perform Exchange recipient–related tasks.

In Microsoft Exchange Server 2007, these Exchange roles have been renamed “Exchange administrator roles,” and have been completely redesigned. The Exchange security and permissions model has been improved by the following changes:

  • Exchange has several new/redefined administrator roles that are similar to the built-in Windows Server security groups.

  • The Exchange Management Console (formerly known as the Exchange System Manager) and the Exchange Management Shell can be used to administer security groups. You can now view, add, or remove members from any administrator role directly in the Exchange Management interface.

  • When modifying an administrator role membership, no access control list (ACL) setting is required. The administrator roles are statically added to the appropriate object ACLs during setup.

The new predefined groups for Exchange configuration are as follows:

  • Exchange Organization Administrators

  • Exchange Recipient Administrators

  • Exchange Server Administrators

  • Exchange View-Only Administrators

During the Exchange setup process, when the Active Directory environment is being prepared, all of the administrator roles, with the exception of the Exchange Server Administrators, are created in the new Microsoft Exchange Security Groups container in Active Directory.

By granting a user membership in one of these groups, you allow them to manage Exchange data in Active Directory. These groups can manage three types of Exchange data:

  • Global data— Data stored in an Active Directory configuration container that is not associated with a particular server is known as global data. This includes mailbox policies, address lists, and the configuration of Exchange unified messaging. Global data generally impacts the entire organization, rather than individual users or groups. Potentially, it can affect all users in your company. Membership in this group should be kept to a limited number of skilled, trusted administrators.

  • Recipient data— Exchange 2007 recipients are Active Directory user objects that are mail-enabled. Recipient data includes mail-enabled contacts, distribution groups, and mailboxes.

  • Server data— Exchange server data is stored in Active Directory under the node for that specific server. Server data includes receive connectors, virtual directories, and server-specific configuration settings, as well as mailbox and storage group data.

Exchange Organization Administrators Role

The Exchange Organization Administrators role provides members with full access to all Exchange objects and properties throughout the organization. During the Exchange setup procedure, ForestPrep creates this group in the Microsoft Exchange Security Groups container within Active Directory Users and Computers.

Exchange Organization Administrators have the highest level of permissions in the Exchange environment. Performing any task that affects the entire organization requires this level of administrative rights. For example, membership in this group is required to create or delete connectors, change server policies, or change any global configuration settings.

By adding a user to this group, you grant the following permissions to that user:

  • Owner permission on the Exchange organization in the Configuration container of Active Directory. As an owner, the user has full control over the Exchange organization data located in the configuration container. Furthermore, the user has full control over the local Exchange server administrator group.

  • Read access to all domain user containers in AD. When the first Exchange 2007 server is installed in a domain, Exchange grants this permission for that domain.

  • Write access to all Exchange-specific attributes in all domain user containers in Active Directory. This access is set during the setup of the first Exchange 2007 server in the domain.

  • Owner of all local server configuration data. This permission gives members full control over the local Exchange server. This access is granted during the setup of each Exchange server.

Exchange Recipient Administrators Role

Exchange Recipient Administrators have permissions to modify Exchange properties on any object in Active Directory, including users, contacts, groups, public folder objects, or dynamic distribution lists. Like the previous role, this role is created during ForestPrep in the Exchange setup procedure in the Microsoft Exchange Security Groups container in Active Directory. In addition, this role also allows you to manage Unified Messaging mailbox settings and Client Access mailbox settings.

Members of this role have the following permissions:

  • Read access to all the domain user containers in Active Directory (providing the domain has had DomainPrep run)

  • Write access to all the Exchange-specific attributes on the domain user containers in Active Directory (again, the domain must have had DomainPrep run)

Note

If a domain has not had DomainPrep completed, members of this group will not have permission to that domain. So, it is important to remember, when adding a new Exchange domain, make sure you run DomainPrep in that domain to grant the Exchange administrator role groups the appropriate permissions.

Exchange Server Administrators Role

The Exchange Server Administrators role only has access to the local server Exchange configuration data. This data might be stored either in Active Directory, or on the actual Exchange 2007 server. This role is designed to give limited access to administrators who are authorized to administer a particular server, but who are not authorized to perform tasks that have a global impact in the Exchange environment.

A common use for this role might be an Exchange administrator in a remote site, who is able to administer the Exchange server(s) in their location, but who cannot add or delete users to the organization.

After a user is added to the Exchange Server Administrators role, they become a member of the Exchange Server Administrator (<Server Name>) group, which is created by Exchange 2007 during setup. Members of this role have the following permissions:

  • “Owner” access to all local server configuration data. Members of this group have full control over the configuration data of the local server itself.

  • Local administrator on the computer on which Exchange is installed.

  • Member of the Exchange View-Only Administrators role.

Exchange View-Only Administrators Role

The final (and least powerful) of the administrator roles is the Exchange View-Only Administrators role. Administrators assigned to this role have read-only access to the entire Exchange organization tree in the Active Directory Configuration container and read-only access to all the Windows domain containers that have Exchange recipients.

The View-Only Administrators role is created in the Microsoft Exchange Security Groups container in Active Directory during the Exchange ForestPrep process.

Required Roles to Install Exchange Server 2007

If you are installing the first Exchange Server 2007 into an environment that has an existing Exchange presence, you must prepare the Active Directory schema. To accomplish this, you must be logged on as a user who is a member of the Exchange Schema Administrators group.

If the schema has already been prepped, and you are installing the first Exchange 2007 server in your environment, you must log on as a member of the Enterprise Administrators group.

Finally, if you are installing an additional Exchange 2007 server into an environment where one already exists, you must log on to an account that is a member of the Exchange Organization Administrators group. In addition, the account must be a member of the local Administrators group on that computer.
 
Others
 
- Sharepoint 2010 : Enterprise Content Management - Hierarchical File Plans and Folder-Based Retention, Records Center
- Sharepoint 2010 : Enterprise Content Management - In-Place Records Management
- Sharepoint 2010 : Enterprise Content Management - Enterprise Content Types
- Sharepoint 2010 : Enterprise Content Management - Content Organizer
- Sharepoint 2010 : Enterprise Content Management - Managed Metadata, Keywords and Tags
- Windows 8 : Managing BitLocker Drive Encryption (part 4) - Managing and Troubleshooting BitLocker
- Windows 8 : Managing BitLocker Drive Encryption (part 3) - Enabling BitLocker on System Volumes
- Windows 8 : Managing BitLocker Drive Encryption (part 2) - Enabling BitLocker on USB Flash Drives
- Windows 8 : Managing BitLocker Drive Encryption (part 1) - Enabling BitLocker on Nonsystem Volumes
- Windows Server 2012 : Continuous availability (part 8) - Easy conversion between installation options
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us