Exchange Administration and the Delegation Wizard

As with previous versions of Exchange, administration is determined by permissions. With Exchange Server 2003, administrative rights and permissions are based on the new Exchange roles. Roles determine the level of permissions and rights to administrator Exchange objects within the Exchange organization.

In this section, we review each of these new Exchange administrative roles, how to use role-based administration within an Exchange Server 2003 organization, and the rights granted to each.

Also as part of managing Exchange permissions, we look at working with extended permissions, defining what extended permissions are used for and how to implement these into an Exchange Server 2003 environment using features such as the Exchange Server 2003 Delegation Wizard.

Implementing Role-Based Administration

Administration in Exchange Server 2003 has been simplified from the standard practice of applying permissions. As previously required, permissions were set by applying rights to Active Directory users and groups within the permission pages of Exchange objects. With Exchange Server 2003, assigning permissions has been simplified by implementing role-based administration within the Exchange hierarchy, which can be assigned using the Exchange Server 2003 Delegation Wizard. By assigning roles, delegation of permissions and administration throughout the organization can easily be set to accounts and groups at the organization and Administrative Group levels.

Depending on where in the Exchange organization roles are assigned, different levels of permissions can be applied to different Exchange server objects. Delegating permission in the Exchange organization, administrators can leverage each of these three Exchange server administrative roles to assign permissions at the Exchange Organization and Administrative Group levels:

• Exchange Full Administrator

• Exchange Administrator

• Exchange View Only Administrator

Permissions can be assigned allowing for different administrators at the organizational level and at the Administrative Group level. Separate roles can also be assigned to different Administrative Groups within the same Exchange organization. This can be very effective for larger organizations that want to decentralize Exchange administration.

Exchange Full Administrator

The Exchange Full Administrator role is the least restrictive of all three Exchange Server 2003 roles. Similar to Full Control, using this role allows Exchange administrators to fully administer Exchange objects by giving them the capability to add, delete, and change Exchange permissions and objects. Assign the Exchange Full Administrator role to Exchange administrators who require complete access to Exchange for configuring and managing the entire Exchange organization.

Exchange Administrator

The Administrator role is ideal for assigning administrative privileges to users and groups that require rights to perform the daily administration to objects within Exchange. The Administrator role allows Exchange administrators to add, change, or modify objects only.

Exchange View Only Administrator

The Exchange View Only role is the most restrictive of all Exchange roles. The Exchange View Only role provides permissions to view Exchange objects only. There are no add and modify rights associated with this role, and it is most effectively implemented for groups and accounts that require the capability to view objects in the other Exchange organizations and Administrative Groups.

Understanding and Implementing Extended Permissions

Another method by which Exchange Server 2003 administrators can manage and controls administrative access to Exchange objects is to implement extended permissions. Extended permissions are Exchange-specific and allow for more granular security by giving administrators the capability to set permissions in addition to and beyond the standard Active Directory permissions. Extended permissions can be applied when roles and rights require more granular configurations and can be applied to individual objects rather than at organizational and Administrative Group levels.

Exchange Server 2003 extended permissions can be applied to servers in the organization, individual databases, public folders, address lists, and protocols.

To implement extended permissions, open the Security tab of an Exchange object. Each Security tab contains both Active Directoryintegrated Windows permissions and Exchange extended permissions, as shown in Figure 18.1.

Delegating Administrative Rights

With an understanding of what roles and permissions are available to administrators in Exchange Server 2003, the task becomes determining which roles and permissions are required for the specific needs in each area of Exchange Server 2003 and how to apply them at the different levels of the organization.

For example, as the Exchange Server 2003 organization begins to expand, the Exchange environment might require additional Administrative Groups to be configured. This configuration might also be ideal for decentralizing administrative duties required to maintain each Administrative Group and Exchange objects belonging to them.

With multiple Administrative Groups, permission can be applied to individual Exchange Server 2003 administrators, granting them the capability to perform the day-to-day tasks required to manage users and objects in each Administrative Group. Also, individuals or groups can be granted extended permissions to provide an even more granular set of permissions on objects such as a mailbox store or a public folder tree within a specific Administrative Group.

To apply roles and permission, administrators must perform each separately and in different methods . Unlike applying extended permissions, applying Exchange roles can be accomplished by using the Delegation Wizard, which is included with the Exchange System Manager.

The Delegation Wizard is a tool built into the Exchange Server 2003 System Manager that allows administrators to assign Exchange roles only to objects at the organization and Administrative Group levels within the Exchange organization.

The application of extended permission must be performed by opening the property pages of the object where the permission will be applied and by selecting the Security tab.

Understanding the Scope of Roles Being Applied

When assigning Exchange roles using the Delegation Wizard, the level of permissions being assigned depends on the level of the Exchange organization in which permission roles are being assigned.

For example, if an administrator group called Admins is assigned Full Administrator rights on the Exchange organization, this group of accounts has full administrative rights to the entire Exchange organization and any Administrative Group within the organizational structure.

Imagine that an account is granted the Full Administrator role on an Administrative Group called Administrative Group 1 and is granted the View Only role to Administrative Group 2. This account can fully add, modify, and delete objects in Administrative Group 1 but can only traverse to Administrative Group 2 to view objectsit cannot add to or modify anything in Administrative Group 2.

Using the Delegation Wizard

To implement Exchange roles using the Delegation Wizard, begin by opening the Exchange System Manager and complete these steps:

1. On the Exchange server with the Exchange System Manager, select Start, All Programs, Microsoft Exchange, System Manager.

2. Select the Administrative Group to which the administrative roles are to be applied.

3. From the Action menu, select Action, Delegate Control. This launches the Welcome to the Exchange Administration Delegation Wizard, shown in Figure 18.2. Select Next to begin.

   Figure 18.2. Welcome to the Exchange Administration Delegation Wizard.

   

4. On the Users and Groups page, click the Add button to select the group or account and the role that will be applied to the Administrative Group.

5. Select Browse and select the group or account to be used. Select OK when finished.

6. From the Role Selection tab, use the arrow to choose the role Full Administrator, and click OK.

7. Select Next to complete the Delegation Wizard. Review the configuration window to ensure that the selection is correct and that the proper role is being applied. Choose Finish to apply the role to the first Administrative Group.

Auditing Administrative Tasks in Exchange Server 2003

To help manage changes as roles and permissions are assigned to different groups and accounts, Exchange Server 2003 auditing can help administrators determine successful changes and failures based on groups or user accounts configured to be audited when performing tasks on Exchange containers and objects. Auditing features are available only when auditing Exchange containers and objects within any Administrative Group of the Exchange organization.

Auditing allows tracking of changes, reads, deletes; the creation of child objects; and send as, receive as, and other helpful tracking options to assist the administrator in monitoring roles and permissions as they are applied. Auditing can also be configured to be inherited to child objects and subcontainers, as well as applied to a single container with an Administrative Group.

As an example of how to enable auditing on an Exchange container or object, perform the following the steps to enable auditing on an object within the first Administrative Group in the Exchange organization.

1. Open the Exchange System Manager and select the first server in the first Administrative Group.

2. Select the properties of the server and select the Security tab.

3. Click the Advanced button in the lower-left corner to open the Advanced Security page for the server.

4. Click the Auditing tab to open the Auditing Configuration page.

5. Click the Add button and select the group or user account on which auditing will be enabled. Click OK when finished.

6. Select the Apply Onto options and select This Object, subcontainers, and children objects. This applies the audit setting to all server containers and objects.

7. Choose the auditing feature that will be applied by placing a check in the box under Access Options. For this scenario, select Create Children and then select Successful.