Administrative Groups and Permissions

Previous page
Table of content
Next page
[Previous] [Next]

Exchange 2000 Server permissions are based on the Windows 2000 Active Directory directory service and the Windows 2000 permissions model. This means that you can assign permissions to a user or group by object, child object, or object class.

When you create an object in Windows 2000, it inherits its parent's permissions by default. Inheritance allows permissions to flow down the object hierarchy so that child objects do not need to have their permissions manually assigned. In addition, when you need to change permissions for an entire range of objects, all you need to do is change the permissions for the parent object, and the child objects will inherit those permissions automatically.

REAL WORLD   Be Aware of How Permissions Flow in the Configuration Naming Partition

By default, members of the Enterprise Admins group will have full control over your administrative groups. The Domain Admins group will also have significant permissions on these objects. Figure 12-5 shows an Active Directory Services Interface (ADSI) Edit console window that illustrates how these permissions are ultimately inherited from the configuration context. (ADSI Edit is a resource kit tool.)

click to view at full size.

Figure 12-5. ADSI Edit console, showing permissions inheritance for administrative groups.

Because Exchange 2000 Server holds much of its information in the configuration partition of Active Directory, you'll notice that your Exchange 2000 organization is created in this partition. To Active Directory, the organization object is just another object to which default permissions flow.

If your climate is such that there is a sharp division between the activities of the Exchange administrators and the domain administrators, you'll need to create an Exchange Admins group and give this group Full Control over all aspects of your Exchange 2000 organization and limit the depth and scope of permissions for the Domain Admins group. You will have to do this manually on the organization object itself. In addition, you'll need to block inheritance of permissions from the Windows 2000 configuration partition and reassign permissions at the organization level for all of your Exchange 2000 Server objects.

For additional information on how to block permissions inheritance, refer to Microsoft Windows 2000 Security Technical Reference (Microsoft Press, 2000).

The permissions model in Exchange 2000 Server has been expanded to give administrators additional control over how permissions flow to containers and objects. This control is accomplished through customized inheritance, which allows you to specify that only certain objects can inherit permissions. Figure 126 illustrates these specialized permissions choices. You can specify inheritance for the following:

  • This object only

  • Inherit only

  • This object and subcontainers

  • This object and children objects

  • Subcontainers only

  • Children objects only

  • This object, subcontainers, and children objects

  • Subcontainers and children objects

Figure 12-6. Permissions for Exchange objects.


Previous page
Table of content
Next page
Microsoft Exchange 2000 Server Adminstrator's Companion
Microsoft Exchange 2000 Server Adminstrator's Companion
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 193
BUY ON AMAZON
Java for RPG Programmers, 2nd Edition
SQL Hacks
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Cultural Imperative: Global Trends in the 21st Century
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy