By now, you may be wondering how administrative permissions are delegated if the concept of the administrative group is gone. Administrative permissions are now different (and in my opinion better) than in Exchange 2000/2003, though I should note that if you will be interoperating with Exchange 2000/2003, you will need to continue to assign administrative permissions for those servers via your existing administrative groups.
Also, I want to comment on Active Directory permissions. Active Directory administrative permissions and Exchange 2007 administrative permissions are split by design. This allows for more administrative flexibility. Members of the root domain’s Domain Admins group and the Enterprise Admins group will still be Exchange administrators, but other groups such as Account Operators do not automatically include Exchange administrative permissions. This is by design to allow for maximum flexibility when creating different types of administrators.
Exchange 2007 Administrative Roles
Before we look at Exchange 2007 administrative roles, we should quickly review the Exchange 2000/2003 administrative roles. This will help administrators who are making the transition from Exchange 2000/2003 organizations to Exchange 2007 better understand the changes. Exchange 2003 offered three types of administrative roles, as shown in Table 2.2.
Although these roles worked well for some organizations, they could only be assigned to an entire administrative group or the entire organization. For medium-sized and large organizations, where administrative tasks are sometimes very granular, these roles may not necessarily give the
ADMINISTRATION AND PERMISSIONS 75
Table 2.2: Exchange 2003 Administrative Roles
Role Permissions
Exchange View Only Administrator
Gives users or groups the ability to view the Exchange organization and server configuration. Mailbox administrators required this role in order to enumerate Exchange server names, storage groups, and mailbox store names.
Exchange Administrator Gives users or groups the ability to manage (create/change/delete) Exchange objects at either the organization level or within a specific administrative group, depending on where the role was delegated. Exchange Full
Administrator
Gives users or groups all of the permissions that an Exchange
Administrator has but also the ability to change permissions on objects.
specific permissions required or they might give too many permissions. For example, if one group managed all bridgehead servers and mail transport functions, then the organization’s bridgehead servers all had to be in the same administrative group. If all servers (bridgehead, Outlook Web Access, and mailbox servers) were in the same administrative groups, the permissions had to be assigned to all of the servers. Further, the administrative permissions for the organization and each administrative group had to be delegated when Exchange server was installed.
The Exchange 2007 administrative model has improved the Exchange administrative model by defining the following four administrative roles:
The Exchange View-Only Administrators role allows an administrator to view the Exchange configuration, but they cannot make any changes.
The Exchange Recipient Administrator role has the permissions to modify Exchange-related properties of mail-enabled objects such as users, contacts, and groups. This information would include information such as e-mail addresses, home server, Client Access server, and Unified Messaging. This permission includes only read and write permissions to Exchange properties for objects found in the Users container in each domain in which the Exchange 2007 Prepare- Domain process has been run. For additional management permissions, an administrator would have to be delegated Active Directory permissions to manage objects in an OU, given membership in the Account Operators group, or be a member of Domain Admins. If a user or group is delegated the Exchange Recipient Administrators, that user or group will have these permissions for the entire organization.
The Exchange Public Folder Administrator role provides permissions to manage the public folder hierarchy and public folder properties. This permission is new to Exchange 2007 Service Pack 1.
The Exchange Server Administrator role can be delegated permissions to one or more individual Exchange 2007 servers regardless of the roles that server maintains. Someone with these permissions can manage any configuration data for that particular server, has the Exchange View Only Administrators role, and will be made a member of the computer’s local Administrators group. This role allows medium and large organizations to delegate
76 CHAPTER 2 EXCHANGE SERVER 2007 ADMINISTRATION
The Exchange Organization Administrator role provides the permissions necessary to manage the organization wide properties of Exchange 2007 including connectors, accepted e-mail domains, transport rules, Unified Messaging properties, ActiveSync policies, managed folders, messaging records management policies, and managing global settings. This role is by far the most powerful of the five Exchange 2007 roles.
Exchange 2007 Built-In Administrative Groups
Now that I have explained the administrative roles that you could use to delegate permissions, I’ll tell you that you probably don’t need to do any delegation yourself. For small or medium-sized organizations, you probably will not need to delegate additional roles for your users and groups. This is because when the first Exchange 2007 server is installed, some preconfigured groups are created for you. In most organizations, these groups will be sufficient for assigning the permissions you need for different types of administrators.
These universal security groups are created in an organizational unit called Microsoft Exchange Security Groups; this OU is found in the forest root domain. Figure 2.16 shows the Microsoft Exchange Security Groups organizational unit and the groups that are created in that container. Figure 2.16
Prebuilt Windows secu- rity groups for managing Exchange 2007
I recommend that you use these built-in groups when assigning the necessary permissions to your administrators. The following are the built-in Windows security groups and the permissions they assign to their members.
Exchange Serversprovides the permissions necessary for Exchange servers to interact with each other as well as with the Active Directory. Each Exchange 2007 server’s computer account will automatically be assigned membership in this group. Administrators do not need to belong to this group.
Exchange View-Only Administratorsprovides the permissions necessary to read Exchange configuration data from the Active Directory and provides read access to mail-enabled objects.
Exchange Recipient Administratorsprovides the permissions necessary to manage mail- enabled objects (including assigning mailboxes to users and mail-enabling contacts and groups).