|< Day Day Up >|
Chapter 18. Exchange Server 2003 Mailbox, Distribution Group, and Administrative Group Administration
IN THIS CHAPTER
With Exchange Server 2003, there are new ways of accomplishing familiar
Exchange administrators can review new features of Exchange Server 2003 and common scenarios for implementing and managing Exchange Server 2003 permissions and features that assist in the day-to-day administrative tasks of Exchange.
|< Day Day Up >|
|< Day Day Up >|
Exchange Administration and the Delegation Wizard
As with previous versions of Exchange, administration is determined by permissions. With Exchange Server 2003, administrative rights and permissions are based on the new Exchange roles. Roles determine the level of permissions and rights to administrator Exchange objects within the Exchange organization.
In this section, we review each of these new Exchange administrative roles, how to use role-based administration within an Exchange Server 2003 organization, and the rights granted to each.
Also as part of managing Exchange permissions, we look at working with extended permissions, defining what extended permissions are used for and how to implement these into an Exchange Server 2003 environment using features such as the Exchange Server 2003 Delegation Wizard.
Implementing Role-Based Administration
Administration in Exchange Server 2003 has been simplified from the standard practice of applying permissions. As previously required, permissions were set by applying rights to Active Directory users and groups within the permission pages of Exchange objects. With Exchange Server 2003, assigning permissions has been simplified by implementing role-based administration within the Exchange hierarchy, which can be assigned using the Exchange Server 2003 Delegation Wizard. By assigning roles, delegation of permissions and administration throughout the organization can easily be set to accounts and groups at the organization and Administrative
Depending on where in the Exchange organization roles are assigned, different levels of permissions can be applied to different Exchange server objects. Delegating permission in the Exchange organization, administrators can leverage each of these three Exchange server administrative roles to assign permissions at the Exchange Organization and Administrative Group levels:
Permissions can be assigned allowing for different administrators at the organizational level and at the Administrative Group level. Separate roles can also be assigned to different Administrative Groups within the same Exchange organization. This can be very effective for larger organizations that want to decentralize Exchange administration.
Exchange Full Administrator
The Exchange Full Administrator role is the least
The Administrator role is ideal for assigning administrative privileges to users and groups that require rights to perform the daily administration to objects within Exchange. The Administrator role allows Exchange administrators to add, change, or modify objects only.
Exchange View Only Administrator
The Exchange View Only role is the most restrictive of all Exchange roles. The Exchange View Only role provides permissions to view Exchange objects only. There are no add and modify rights associated with this role, and it is most effectively implemented for groups and accounts that require the capability to view objects in the other Exchange organizations and Administrative Groups.
The Exchange View Only role can be used to restrict administrative permissions between Exchange Administrative Groups. Assign the Exchange View Only role to allow Administrative Group administrators to view objects in other Administrative Groups without granting permissions to add and modify objects.
Understanding and Implementing Extended Permissions
Another method by which Exchange Server 2003 administrators can manage and controls administrative access to Exchange objects is to implement extended permissions. Extended permissions are Exchange-specific and allow for more granular security by giving administrators the capability to set permissions in addition to and beyond the standard Active Directory permissions. Extended permissions can be applied when roles and rights require more granular configurations and can be applied to individual objects rather than at organizational and Administrative Group levels.
Exchange Server 2003 extended permissions can be applied to servers in the organization, individual databases, public folders, address lists, and protocols.
To implement extended permissions,
Figure 18.1. Public folder security and permissions.
When viewing Exchange Server 2003 extended permissions, Windows permissions are always viewed first in the Permissions tab and are at the top of the permissions list. Extended permissions are always viewed after the Windows permissions and can be
Delegating Administrative Rights
With an understanding of what roles and permissions are available to administrators in Exchange Server 2003, the task becomes determining which roles and permissions are required for the specific needs in each area of Exchange Server 2003 and how to apply them at the different levels of the organization.
For example, as the Exchange Server 2003 organization begins to expand, the Exchange environment might require additional Administrative Groups to be configured. This configuration might also be ideal for decentralizing administrative
With multiple Administrative Groups, permission can be applied to individual Exchange Server 2003 administrators, granting them the capability to perform the day-to-day
To apply roles and permission, administrators must perform each separately and in different
The Delegation Wizard is a tool built into the Exchange Server 2003 System Manager that allows administrators to assign Exchange roles only to objects at the organization and Administrative Group levels within the Exchange organization.
The application of extended permission must be performed by opening the property pages of the object where the permission will be applied and by selecting the Security tab.
Understanding the Scope of Roles Being Applied
When assigning Exchange roles using the Delegation Wizard, the level of permissions being assigned depends on the level of the Exchange organization in which permission roles are being assigned.
For example, if an administrator group called Admins is assigned Full Administrator rights on the Exchange organization, this group of accounts has full administrative rights to the entire Exchange organization and any Administrative Group within the organizational structure.
Imagine that an account is granted the Full Administrator role on an Administrative Group called Administrative Group 1 and is granted the View Only role to Administrative Group 2. This account can fully add, modify, and delete objects in Administrative Group 1 but can only traverse to Administrative Group 2 to view objectsit cannot add to or modify anything in Administrative Group 2.
Using the Delegation Wizard
To implement Exchange roles using the Delegation Wizard, begin by opening the Exchange System Manager and complete these steps:
This procedure can be repeated to add accounts and groups to any role at the organization and Administrative Group levels within the Exchange System Manager.
Auditing Administrative Tasks in Exchange Server 2003
To help manage changes as roles and permissions are assigned to different groups and accounts, Exchange Server 2003 auditing can help administrators determine successful changes and failures based on groups or user accounts configured to be
Auditing allows tracking of changes, reads, deletes; the creation of child objects; and send as, receive as, and other helpful tracking options to assist the administrator in monitoring roles and permissions as they are applied. Auditing can also be configured to be inherited to child objects and subcontainers, as well as applied to a single container with an Administrative Group.
As an example of how to enable auditing on an Exchange container or object, perform the following the steps to enable auditing on an object within the first Administrative Group in the Exchange organization.
This setting creates an entry in the event logs of the server when a child object is created.
Other settings, such as the Read option, automatically enable other auditing features. This is by design and allows Exchange to enable the proper permission to apply the auditing function.
|< Day Day Up >|