Delegating Administrative Permissions

In earlier versions of Exchange, administrative permissions were delegated via sites or administrative groups. If you are interoperating with Exchange 2000/2003, permissions for Exchange 2000/2003 administrative tasks will still be delegated via administrative groups. However, permission delegation has been simplified and made more flexible for Exchange 2007.

An important consideration to keep in mind is that just because you have been delegated Exchange 2007 permissions does not automatically make you an administrator of Windows 2003 servers on which Exchange server is operating, nor does it make you an Active Directory administrator.

Exchange 2007 Administrative Roles

Before we look at Exchange 2007 administrative roles, we should quickly review the Exchange 2000/2003 administrative roles. This will help administrators who are making the transition from Exchange 2000/2003 organizations to Exchange 2007 better understand the changes. Exchange 2003 offered three types of administrative roles, as shown in Table 7.1.

Table 7.1: Exchange 2003 Administrative Roles
Open table as spreadsheet

Role	Permissions
Exchange View Only Administrator	Gives users or groups that have been assigned this role the ability to view the Exchange organization and server configuration. Mailbox administrators required this role in order to enumerate Exchange server names, storage groups, and mailbox store names.
Exchange Administrator	Gives users or groups that have been assigned this role the ability to manage (create/change/delete) Exchange objects at either the organization level or within a specific administrative group, depending on where the role was delegated.
Exchange Full Administrator	Gives users or groups all of the permissions that the Exchange Administrator role has but also the ability to change permissions on objects.

Although these worked well for some organizations, the roles could only be assigned to an entire administrative group or the entire organization. For medium-size and large organizations where administrative tasks are sometimes very granular, the people assigned these roles may not necessarily have the specific permissions they need or they might have too many permissions. For example, if one group was responsible for managing all bridgehead servers and mail transport functions, the organization's bridgehead servers would have to all be in the same administrative group. If all servers (bridgehead, Outlook Web Access, and Mailbox servers) were in the same administrative groups, the management permissions would have to be assigned to all of the servers manually. Further, the administrative permissions for the organization and each administrative group had to be delegated once Exchange Server was installed.

Exchange 2007 has improved the Exchange administrative model by defining three types of administrative roles:

• The Exchange Recipient Administrator role has the permissions to modify Exchange-related properties (e-mail addresses, home server, Client Access server, and Unified Messaging) of mail-enabled objects such as users, contacts, and groups. This role grants only read and write permissions to Exchange properties only for objects found in the Users container in each domain in which Exchange 2007 Prepare Domain has been run. For additional management permissions, an administrator would have to be delegated Active Directory permissions to manage objects in an OU, given membership in the Account Operators group, or be a member of Domain Admins. If a user or group is delegated the Exchange Recipient Administrator role, that user or group will have these permissions for the entire organization.

• The Exchange Server Administrator role can be delegated permissions to one or more individual Exchange 2007 servers regardless of the roles that server maintains. Someone with these permissions can manage any configuration data for that particular server, has the Exchange View Only Administrator role, and will be made a member of the computer's local Administrators group. This role allows medium and large organizations to delegate permissions for Exchange management more precisely.

• The Exchange Organization Administrator role provides the permissions necessary to manage the organization-wide properties of Exchange 2007, including connectors, global settings, accepted e-mail domains, transport rules, Unified Messaging properties, ActiveSync policies, managed folders, and messaging records management policies. This role is by far the most powerful of the three Exchange 2007 roles.

• The Exchange View-Only Administrator role allows an administrator to view the Exchange configuration, but they cannot make any changes.

• Most organizations will not need to do this, but these permissions can be delegated at the Organization Configuration level of the EMC navigation tree. Simply select the Organization Configuration work center and choose the Add Delegate action; this will display the Add Delegate Wizard. In Figure 7.23, we are delegating the Exchange Server Administrator role for just a single Exchange server (called HNLEX03) to a group called Exchange Hub Transport Administrators.

Figure 7.23: Delegating Exchange 2007 administrative roles

Exchange 2007 Built-In Administrative Groups

Now that we have explained the administrative roles that you could use to delegate permissions, we will tell you that you probably don't need to do any delegation yourself. For small or medium-size organizations, you will probably not need to delegate additional roles for your users and groups. This is because when the first Exchange 2007 server is installed, some preconfigured groups are created for you. In most organizations, these groups will be sufficient for assigning the permissions you need for different types of administrators.

These universal security groups are created in an organizational unit (OU) called Microsoft Exchange Security Groups, which is found in the forest root domain. Figure 7.24 shows the Microsoft Exchange Security Groups organizational unit and the groups that are created in that container.

Figure 7.24: Prebuilt Windows security groups for managing Exchange 2007

We recommend you use these built-in groups when assigning the necessary permissions to your administrators. The following are the built-in Windows security groups and the permissions they assign to their members:

• Exchange Organization Administrators provides members with the permissions necessary to manage all Exchange properties for the entire organization.

• Exchange Recipient Administrators provides members with the permissions necessary to manage mail-enabled objects (including assigning mailboxes to users and mail-enabling contacts and groups.)

• Exchange Servers provides the permissions necessary for Exchange servers to interact with each other was well as with the Active Directory. Each Exchange 2007 server's computer account will automatically be assigned membership in this group. Administrators do not need to belong to this group.

• Exchange View-Only Administrators provides the permissions necessary to read Exchange configuration data from the Active Directory and read access to mail-enabled objects.

• Exchange2003Interop provides permissions necessary for interoperability with Exchange 2003.