Category list

Chapter 18. Exchange Server 2003 Mailbox, Distribution Group, and Administrative Group Administration

< Day Day Up >

Chapter 18. Exchange Server 2003 Mailbox, Distribution Group, and Administrative Group Administration

IN THIS CHAPTER

Exchange Administration and the Delegation Wizard
Managing Mailboxes and Message Settings in Exchange Server 2003
Managing New Mailbox Features
Moving Exchange User Mailboxes
Creating and Managing Exchange Contacts
Planning and Creating Distribution Groups
Creating and Managing Exchange Server 2003 Administrative Groups
Creating and Managing Routing Groups
Using Recipient Policies
Administering Recipient Update Services
Using the Mailbox Recovery Center Tool
Using the Mailbox Manager Utility
Best Practices

With Exchange Server 2003, there are new ways of accomplishing familiar tasks . This chapter guides Exchange administrators through the standard practices of managing basic Exchange Server 2003 Administrative Groups, User Mailbox administration, and Distribution Groups.

Exchange administrators can review new features of Exchange Server 2003 and common scenarios for implementing and managing Exchange Server 2003 permissions and features that assist in the day-to-day administrative tasks of Exchange.

< Day Day Up >

Exchange Administration and the Delegation Wizard

As with previous versions of Exchange, administration is determined by permissions. With Exchange Server 2003, administrative rights and permissions are based on the new Exchange roles. Roles determine the level of permissions and rights to administrator Exchange objects within the Exchange organization.

In this section, we review each of these new Exchange administrative roles, how to use role-based administration within an Exchange Server 2003 organization, and the rights granted to each.

Also as part of managing Exchange permissions, we look at working with extended permissions, defining what extended permissions are used for and how to implement these into an Exchange Server 2003 environment using features such as the Exchange Server 2003 Delegation Wizard.

Implementing Role-Based Administration

Administration in Exchange Server 2003 has been simplified from the standard practice of applying permissions. As previously required, permissions were set by applying rights to Active Directory users and groups within the permission pages of Exchange objects. With Exchange Server 2003, assigning permissions has been simplified by implementing role-based administration within the Exchange hierarchy, which can be assigned using the Exchange Server 2003 Delegation Wizard. By assigning roles, delegation of permissions and administration throughout the organization can easily be set to accounts and groups at the organization and Administrative Group levels.

Depending on where in the Exchange organization roles are assigned, different levels of permissions can be applied to different Exchange server objects. Delegating permission in the Exchange organization, administrators can leverage each of these three Exchange server administrative roles to assign permissions at the Exchange Organization and Administrative Group levels:

Exchange Full Administrator
Exchange Administrator
Exchange View Only Administrator

Permissions can be assigned allowing for different administrators at the organizational level and at the Administrative Group level. Separate roles can also be assigned to different Administrative Groups within the same Exchange organization. This can be very effective for larger organizations that want to decentralize Exchange administration.

Assigning Roles to Groups

When planning and assigning Exchange roles, it is simpler to manage and understand administrative permissions when roles are assigned to groups rather than individual user accounts. Create new Administrative Groups and use these groups to assign roles at the desired Exchange server levels.

When assigning Exchange roles to security groups, the account being used to manage or view Exchange objects must be a member of the security group that has been granted an Exchange role.

Exchange Full Administrator

The Exchange Full Administrator role is the least restrictive of all three Exchange Server 2003 roles. Similar to Full Control, using this role allows Exchange administrators to fully administer Exchange objects by giving them the capability to add, delete, and change Exchange permissions and objects. Assign the Exchange Full Administrator role to Exchange administrators who require complete access to Exchange for configuring and managing the entire Exchange organization.

Exchange Full and Administrator Requirements

To enable the Exchange Full Administrator or Administrator roles, the group or users object being assigned these roles must also maintain local administrator group membership to the Exchange server. This is required on any Exchange server on which these roles are being assigned.

Important!

Adding permissions to the local administrators group must be completed manually. When assigning roles, not having this set will not restrict roles from being assigned. However, it must be completed for the role-based administration to be effective.

Exchange Administrator

The Administrator role is ideal for assigning administrative privileges to users and groups that require rights to perform the daily administration to objects within Exchange. The Administrator role allows Exchange administrators to add, change, or modify objects only.

Exchange View Only Administrator

The Exchange View Only role is the most restrictive of all Exchange roles. The Exchange View Only role provides permissions to view Exchange objects only. There are no add and modify rights associated with this role, and it is most effectively implemented for groups and accounts that require the capability to view objects in the other Exchange organizations and Administrative Groups.

NOTE

The Exchange View Only role can be used to restrict administrative permissions between Exchange Administrative Groups. Assign the Exchange View Only role to allow Administrative Group administrators to view objects in other Administrative Groups without granting permissions to add and modify objects.

Understanding and Implementing Extended Permissions

Another method by which Exchange Server 2003 administrators can manage and controls administrative access to Exchange objects is to implement extended permissions. Extended permissions are Exchange-specific and allow for more granular security by giving administrators the capability to set permissions in addition to and beyond the standard Active Directory permissions. Extended permissions can be applied when roles and rights require more granular configurations and can be applied to individual objects rather than at organizational and Administrative Group levels.

Exchange Server 2003 extended permissions can be applied to servers in the organization, individual databases, public folders, address lists, and protocols.

To implement extended permissions, open the Security tab of an Exchange object. Each Security tab contains both Active Directoryintegrated Windows permissions and Exchange extended permissions, as shown in Figure 18.1.

Figure 18.1. Public folder security and permissions.

graphics/18fig01.gif

NOTE

When viewing Exchange Server 2003 extended permissions, Windows permissions are always viewed first in the Permissions tab and are at the top of the permissions list. Extended permissions are always viewed after the Windows permissions and can be viewed by scrolling down on the Permissions page.

Delegating Administrative Rights

With an understanding of what roles and permissions are available to administrators in Exchange Server 2003, the task becomes determining which roles and permissions are required for the specific needs in each area of Exchange Server 2003 and how to apply them at the different levels of the organization.

For example, as the Exchange Server 2003 organization begins to expand, the Exchange environment might require additional Administrative Groups to be configured. This configuration might also be ideal for decentralizing administrative duties required to maintain each Administrative Group and Exchange objects belonging to them.

With multiple Administrative Groups, permission can be applied to individual Exchange Server 2003 administrators, granting them the capability to perform the day-to-day tasks required to manage users and objects in each Administrative Group. Also, individuals or groups can be granted extended permissions to provide an even more granular set of permissions on objects such as a mailbox store or a public folder tree within a specific Administrative Group.

To apply roles and permission, administrators must perform each separately and in different methods . Unlike applying extended permissions, applying Exchange roles can be accomplished by using the Delegation Wizard, which is included with the Exchange System Manager.

The Delegation Wizard is a tool built into the Exchange Server 2003 System Manager that allows administrators to assign Exchange roles only to objects at the organization and Administrative Group levels within the Exchange organization.

The application of extended permission must be performed by opening the property pages of the object where the permission will be applied and by selecting the Security tab.

Understanding the Scope of Roles Being Applied

When assigning Exchange roles using the Delegation Wizard, the level of permissions being assigned depends on the level of the Exchange organization in which permission roles are being assigned.

For example, if an administrator group called Admins is assigned Full Administrator rights on the Exchange organization, this group of accounts has full administrative rights to the entire Exchange organization and any Administrative Group within the organizational structure.

Imagine that an account is granted the Full Administrator role on an Administrative Group called Administrative Group 1 and is granted the View Only role to Administrative Group 2. This account can fully add, modify, and delete objects in Administrative Group 1 but can only traverse to Administrative Group 2 to view objectsit cannot add to or modify anything in Administrative Group 2.

Using the Delegation Wizard

To implement Exchange roles using the Delegation Wizard, begin by opening the Exchange System Manager and complete these steps:

On the Exchange server with the Exchange System Manager, select Start, All Programs, Microsoft Exchange, System Manager.
Select the Administrative Group to which the administrative roles are to be applied.
From the Action menu, select Action, Delegate Control. This launches the Welcome to the Exchange Administration Delegation Wizard, shown in Figure 18.2. Select Next to begin.

Figure 18.2. Welcome to the Exchange Administration Delegation Wizard.
On the Users and Groups page, click the Add button to select the group or account and the role that will be applied to the Administrative Group.
Select Browse and select the group or account to be used. Select OK when finished.
From the Role Selection tab, use the arrow to choose the role Full Administrator, and click OK.
Select Next to complete the Delegation Wizard. Review the configuration window to ensure that the selection is correct and that the proper role is being applied. Choose Finish to apply the role to the first Administrative Group.

NOTE

This procedure can be repeated to add accounts and groups to any role at the organization and Administrative Group levels within the Exchange System Manager.

Auditing Administrative Tasks in Exchange Server 2003

To help manage changes as roles and permissions are assigned to different groups and accounts, Exchange Server 2003 auditing can help administrators determine successful changes and failures based on groups or user accounts configured to be audited when performing tasks on Exchange containers and objects. Auditing features are available only when auditing Exchange containers and objects within any Administrative Group of the Exchange organization.

Auditing allows tracking of changes, reads, deletes; the creation of child objects; and send as, receive as, and other helpful tracking options to assist the administrator in monitoring roles and permissions as they are applied. Auditing can also be configured to be inherited to child objects and subcontainers, as well as applied to a single container with an Administrative Group.

As an example of how to enable auditing on an Exchange container or object, perform the following the steps to enable auditing on an object within the first Administrative Group in the Exchange organization.

Open the Exchange System Manager and select the first server in the first Administrative Group.
Select the properties of the server and select the Security tab.
Click the Advanced button in the lower-left corner to open the Advanced Security page for the server.
Click the Auditing tab to open the Auditing Configuration page.
Click the Add button and select the group or user account on which auditing will be enabled. Click OK when finished.
Select the Apply Onto options and select This Object, subcontainers, and children objects. This applies the audit setting to all server containers and objects.
Choose the auditing feature that will be applied by placing a check in the box under Access Options. For this scenario, select Create Children and then select Successful.

NOTE

This setting creates an entry in the event logs of the server when a child object is created.

Other settings, such as the Read option, automatically enable other auditing features. This is by design and allows Exchange to enable the proper permission to apply the auditing function.

< Day Day Up >

Buy on amazon.com >>

Morimoto R., Coca J., Gardinier K.

<< Previous page

Table of contents

Next page >>