2.2 Roles and responsibilities

monitoring and managing microsoft exchange 2000 server
Chapter 2 - Preparing to Manage Exchange 2000
Monitoring and Managing Microsoft Exchange 2000 Server
by Mike Daugherty  
Digital Press 2001
 

2.3 Delegating administrative responsibility

Deciding who should be granted permissions for Exchange 2000 objects needs to be clearly defined in any corporate messaging environment. Assignment of Exchange permissions and roles should be carefully considered , and periodic audits should be conducted to review the list of individuals who hold Exchange permissions.

2.3.1 Permissions

Any reasonably sized Exchange network is not managed by a single person but rather by a group of people who have been granted the necessary privileges to modify the contents of the Microsoft Exchange directory and components . The purpose of this section is to explain how permissions work in the Microsoft Exchange Administrator program.

Having defined roles for corporate messaging architects , messaging system managers, directory services managers, messaging system backup operators, administrators, and the help desk, makes it necessary to grant the appropriate access rights to implement these roles. Specific rights and permissions are required to perform each of these roles. The type and breadth of tasks that can be performed by the administrator can be tailored by varying both the permission types and the objects to which the permissions apply. Granting excessive rights creates problems by allowing too many people to have access to potentially destructive features. Appropriate and carefully controlled assignment of rights and permissions will allow management and administrative tasks to be carried out productively without jeopardizing system security.

Permissions for Exchange 2000 Server are based on the Windows 2000 permission model. The Windows 2000 Active Directory is the primary data structure for Exchange, and managing Exchange really means managing the containers and objects found in the Active Directory. Windows 2000 allows permissions to be granted at the object level.

You use the Exchange Administration Delegation wizard to set permissions for the Exchange organization or administrative group. Other objects within the Exchange organization inherit these permissions.

By default, when a Windows 2000 object is created, it inherits permissions from its parent object. Later, if you need to modify permissions on all objects within a container, you only need to change the permissions on parent objects. All child objects will automatically inherit the new permissions. The Windows 2000 inheritance feature ensures that the permissions assigned to a parent object are consistently applied to all child objects. Inheritance eliminates the need to manually apply permissions to child objects.

Exchange extends the default Windows 2000 inheritance model to provide system managers with even more control over the permissions on Exchange objects and containers. The inheritance model for Exchange objects can be customized to specify which containers or objects will receive the permissions. The administrator can elect to apply the permissions to the container being modified, the container and all of its subcontainers, or only to the subcontainers.

You can set specific permissions for certain Exchange objects, but other objects always inherit the permissions set by the Exchange Administration Delegation wizard and cannot be customized. The objects for which permissions can be customized are address lists, Exchange servers, mailbox stores, and public folder stores. The following standard Windows 2000 permissions are available for each of these Exchange 2000 objects.

  • Full control

  • Create children

  • Read

  • Delete children

  • Write

  • List contents

  • Execute

  • Add/remove self

  • Delete

  • Read properties

  • Read permissions

  • Write properties

  • Change permissions

  • Delete tree

  • Take ownership

  • List object

Exchange further extends the default Windows 2000 permissions model by using Exchange extended permissions. Additional permissions specific to Exchange 2000 objects are given in

Table 2.1: Exchange 2000 ObjectSpecific Permission s

Permission

Description

Administer information store

This permission is used to specify the users who are allowed to administer the Exchange Information Store.

Create named properties in the information store

This permission is used to specify the users who are allowed to create named properties in the Exchange Information Store. A named property is a store attribute that can be accessed by name , such as display names .

Create public folder

This permission is used to specify the users who are allowed to create public folders under this folder. The Information Store service enforces this permission.

Create top level public folder

This permission is used to specify the users who are allowed to add top level public folders. The Information Store service enforces this permission.

Modify public folder ACL

This permission is used to specify the users who are allowe to modify the public folder access control list (ACL).

Modify public folder admin ACL

This permission is used to specify the users who are allowed to modify the administrative access control list for a public folder.

Modify public folder deleted item retention

This permission is used to specify the users who are allowed to modify the length of time that items deleted from the public folder are retained. The Information Store service enforces this permission.

Modify public folder expiry

This permission is used to specify the users who are allowed to modify the expiration date for items in the public folder. The Information Store service enforces this permission.

Modify public folder quotas

This permission is used to specify the users who are allowed to modify the quotas on a public folder. The Information Store service enforces this permission.

Modify public folder replica list

This permission is used to specify the users who are allowed to modify the public folder replica list. An administrator must be given this permission on the administrative group to which this public folder points and the public database to which the replica should be added. The Information Store service enforces this permission.

Open Address List

This permission is used to specify the users who can access the address list.

Open mail send queue

This permission is used to specify the users who are allowed to open the mail send queue, which is used for queuing messages being sent to or received from the Information Store. Generally, this permission is only granted to the Domain EXServers account.

Read metabase properties

This permission is used to specify the users who are allowed to read the Internet Information Services metabase. The IIS metabase is the database that stores IIS configuration values.

View information store status

This permission is used to specify the users who are allowed to view Information Store information such as logons and resources.

Assigning or modifying Exchange 2000 permissions

You can use the Exchange System Manager to assign or remove permissions to an Exchange object or to modify existing permissions. Although permissions can be granted to both users and groups, it is best to restrict granting permissions directly to specific users. Instead, permissions should be assigned to Windows 2000 groups that contain the appropriate users. Assigning permissions to groups rather than an individual user reduces the future workload when people leave, arrive , or change roles.

Permissions are modified or granted using the following procedure:

  1. Start the System Manager from the Windows 2000 Start menu by selecting Programs   Microsoft Exchange   System Manager.

  2. Right-click on the address list, server, mailbox store, or public folder store object to which you want to assign permissions, and select Properties.

  3. Select the Security tab to display the security properties (Figure 2.3).

    click to expand
    Figure 2.3: Security properties tab

  4. In the Name window, select the user or group to which you want to assign permissions. If the user or group does not appear in the list, select Add to add users to the list.

  5. The users current permissions are indicated in the Permissions window. The permissions currently granted to this user have the Allow check box marked . Permissions that are denied to this user have the Deny check box marked. If the permissions for this object are inherited from parent objects, the check box is shaded.

    Inherited permissions can only be changed at the parent object where the permission is defined. One of the following three steps can be used to change permissions:

    • If the permission is not inherited from a parent object, select or clear the Allow or Deny check boxes for the permissions you want to grant or deny this user or group.

    • If the permission is inherited, change the permission at the parent object where it is defined.

    • Clear the check box for Allow inheritable permissions from parent to propagate to this object . This will allow you to change the permissions, but the object will no longer inherit permissions from parent objects.

  6. Select OK when all permission changes have been completed.

2.3.2 Exchange roles

Exchange further extends the default Windows 2000 permissions model with the Exchange Administration Delegation wizard. This tool greatly simplifies permission assignment by using Exchange administrator roles. A role is simply a collection of rights and privileges that defines a user or administrators access to objects held within an Active Directory container.

In Exchange 5.5, when a user was assigned a role for a particular container, the user had the same permissions for all objects within that container. In Exchange 2000, a system manager can specify user access by object class. For example, the administrator might grant a user access to Exchange servers without giving the user access to any other Exchange settings.

Typically, permissions are granted in System Manager at either the Exchange organizational level or at an administrative group level. The objects that can be managed are determined by where you start the Exchange Administration Delegation wizard. If you select the Exchange organization before starting the wizard, the administrative permissions will be granted to all Exchange objects in the organization. Similarly, if you start the wizard after selecting an administrative group, then the scope of the permissions is limited to the objects in the selected administrative group. To limit administrative access to specific objects within an administrative group, use the wizard to set permissions for the entire administrative group, and then re-configure the permissions at the object level.

Exchange provides the following set of pre-defined roles:

  • Exchange full administrator . The Exchange Full Administrator role is designed for those administrators who need full control over the entire Exchange organization. Users who are assigned this role can fully administer all Exchange 2000 system information and can modify permissions. In addition to the permissions granted by the Exchange Administration Delegation Wizard, you must also manually make the Exchange Full Administrator a local system administrator for each Exchange server to be managed. Local system administrators can start and stop services, and access the registry, the metabase, and the file system for administrative operations. Users who will be remotely managing an Exchange server must have administrative permissions on both the local system and on the remote server.

  • Exchange administrator . All permissions needed to manage mailboxes or perform normal day-to-day management are included in the Exchange Administrator role. If you use the predefined roles, the Exchange Administrator role would typically be assigned to administrators and system managers. It includes all of the permissions available with the Exchange Administrator role except for the ability to modify permissions. You must also manually make the Exchange Administrator a local system administrator for each Exchange server to be managed.

  • Exchange view only administrator . This role provides view-only access to the selected objects. It can be used in conjunction with other permissions to allow administrators to view organization information for administrative groups that they are not administering. In addition to the permissions granted by the Exchange Administration Delegation wizard, you must manually give an Exchange View Only Administrator the permission to log onto the Exchange server locally.

Table 2.2 outlines the permissions for accessing the specified objects that are granted when you launch the Exchange Administration Delegation wizard from the Exchange organization level.

Table 2.3 outlines the permissions for accessing the specified objects that are granted when the Exchange Administration Delegation wizard is started at the administrative group level.

Table 2.2: Exchange Administration Delegation Wizard Roles at Organization Level

Role

Permissions

Exchange Full Administrator

All permissions except Send as and Receive as for all Exchange objects in the organization container and subcontainers.

Exchange Administrator

All permissions except Change permissions , Send as , and Receive as for all Exchange objects in the organization container and subcontainers.

Exchange View Only Administrator

Only Read , List Object , List Contents , and View information store status for all Exchange objects in the organization container and subcontainers.

Note 

By default, administrative groups and routing groups are not displayed. If you have not already enabled these, right-click on the Exchange organization and select Properties to display the organization properties. Select the Display administrative groups check box to allow the administrative groups to be displayed and select the Display routing groups check box to display the routing groups. You must restart the Exchange System Manager after enabling display of administrative groups and routing groups.

Table 2.3: Exchange Administration Delegation Wizard Roles at Administrative Group Level

Role

Permissions for Administrative Group Objects

Permissions for Objects in Organization Container

Exchange Full Administrator

All permissions except Send as and Receive as for objects in the administra-tive group and subcontainers.

Only Read , List object , and List contents permissions for objects in the organization container, and outside of the administrative group container.

Exchange Administrator

All permissions except Change permissions , Send as , and Receive as for objects in the administrative group and subcontainers.

Only Read , List object , and List contents permissions for objects in the organization container, and outside of the administrative group container.

Exchange View Only Administrator

Only Read , List object , List contents , and View information store status permissions for objects in the administrative group and subcontainers.

Only Read , List object , and List contents permissions for objects in the organization container, and outside of the administrative group container.

Assigning or modifying roles using the Exchange Administration Delegation wizard

The Exchange Administration Delegation Wizard can be used to assign roles using the following procedure.

  1. Start the System Manager from the Windows 2000 Start menu by selecting Programs   Microsoft Exchange   System Manager.

  2. Right-click on either the Exchange organization object or an administrative group object, and select Delegate Control to start the wizard.

  3. The wizard displays an introductory screen (Figure 2.4). Select Next to continue.

    click to expand
    Figure 2.4: The Exchange Administration Delegation wizard

  4. The Users or Groups window displays the users and groups who currently have assigned roles for the Exchange organization or selected administrative group. To remove an assigned role, select the user or group and then select Remove. To add a new user or group, select Add to display the Delegate Control window (Figure 2.5).

    click to expand
    Figure 2.5: The Delegate Control window

  5. Use the Browse button to find the user or group to which you want to assign a role.

  6. Use the drop-down list to select the role for this user, and then select OK to return to the Users or Groups window.

  7. When you have completed all changes, select Next to display the summary screen.

  8. When you have finished reviewing the summary of changes, select Finish to implement the new roles.

2.3.3 Administrative groups

Exchange administrative groups are collections of Exchange servers and objects that are grouped together for common administration. For example, many corporations have regional IT organizations responsible for managing the servers in their region. In situations such as this, it is possible to create a separate administrative group for each region with each administrative group containing the servers located in that region. Grouping related objects allows you to administer the objects collectively rather than individually. Permissions and other settings defined at the administrative group level are automatically copied to all objects placed in the administrative group.

2.3.4 Windows 2000 policies

A Windows 2000 policy is a collection of rules that define how configuration settings are applied to Active Directory objects of the same class. Policies can be used on all Active Directory objects, including Exchange 2000 objects. Policies enhance the administrators ability to manage large numbers of Active Directory objects by controlling sets of configuration settings. For example, an administrator could create a policy to change the configuration settings for Exchange servers, and then easily apply the revised policy to all servers.

There are two types of Windows 2000 policies:

  • System policies . System policies are used to manage Exchange objects such as servers and information stores. System policies are listed in the Policies container under the organization or administrative group containers. Exchange supports three types of objects: Mailbox StorePolicies are found on the General, Database, and Limits tabs.

    • Public Folder StorePolicies are found on the General, Database, Replication, and Limits tabs.

    • ServerPolicies are found on the General tab.

  • Recipient policies . Recipient policies are used to generate e-mail addresses for mail-enabled objects such as user accounts, distribution lists, and custom recipients. Recipient policies are listed in the Recipient Policies container under the Recipients container. See Chapter 8 for a description of recipient policies.

Creating a server policy

The following procedure can be used to create a new server policy in an administrative group.

  1. Start the System Manager from the Windows 2000 Start menu by selecting Programs   Microsoft Exchange   System Manager.

  2. Open the Administrative Groups container.

  3. Before you can add a new server policy, you must first have a container for System Policies. If the System Policies container does not already exist, right-click the administrative group container and select New   System Policy Container.

  4. Right-click on the System Policy container and select New   Server Policy to display the New Policy window (Figure 2.6).


    Figure 2.6: The New Policy window

  5. Select the General check box and then select OK to display the Properties window for the new policy.

  6. On the General tab, enter a name for the server policy.

  7. Use the Administrative note field on the Details tab to enter additional information about the policy.

  8. Select the General (Policy) tab.

  9. Set the following options on the General (Policy) tab (Figure 2.7):

    • Select Enable subject logging and display to log all message subject fields.

    • Select Enable message tracking to log message tracking information.

    • Select Remove log files to remove all log files older than the value specified in the Remove files older than (days) field.

    click to expand
    Figure 2.7: The General (Policy) tab

  10. Select OK when finished to create a server policy you can use to control configuration settings for your Exchange servers.

Creating a public store policy

The following procedure can be used to create a new public store policy.

  1. Start the System Manager from the Windows 2000 Start menu by selecting Programs   Microsoft Exchange   System Manager.

  2. Open the Administrative Groups container.

  3. Before you can add a new public store policy, you must first have a container for System Policies. If the System Policies container does not already exist, right-click the administrative group container and select New   System Policy Container.

  4. Right-click on the System Policy container and select New   Public Store Policy to display the New Policy window (Figure 2.8).


    Figure 2.8: The New Policy window

  5. Select the check box for the properties tabs that you want to create and then select OK to display the Properties window for the new policy.

  6. On the General tab of the Properties window, enter a name for the public store policy.

  7. Set the following options on the General (Policy) tab:

    • Select Clients support S/MIME signatures if your mail clients are using S/MIME.

    • Select Display plain text messages in a fixed-sized font to convert incoming messages to a fixed font.

  8. Set the following options on the Database (Policy) tab: Use the Maintenance interval drop-down list to select a time for running the database maintenance process or select Customize to create a custom maintenance schedule.

  9. Set the following options on the Replication (Policy) tab:

    • Use the Replication interval drop-down list to select a time for running the replication process or select Customize to create a custom replication schedule.

    • Enter a value in the Replication interval for always (minutes) field to limit replication frequency.

    • Enter a value in the Replication message size limit (KB) field to limit the messages replicated.

  10. Select the Limits (Policy) tab (Figure 2.9).

    click to expand
    Figure 2.9: The Limits (Policy) tab of the Public Store Properties window

  11. Set the following options on the Limits (Policy) tab:

    • Select the Issue warning at (KB) check box and enter a value to send a warning when the storage space used reaches the specified size.

    • Select the Prohibit post at (KB) check box and enter a value to prohibit posting new items when the storage space used reaches the specified size.

    • Select the Maximum item size (KB) check box and enter a value for the maximum size item that can be stored in the public folder.

    • Use the Warning message interval drop-down list to select a time for checking storage limits or select Customize to create a custom schedule.

    • Enter a value in the Keep deleted items for (days) field to specify the maximum number of days that items can remain in the public store.

    • Select the Do not permanently delete items until the store has been backed up check box to keep deleted items until the public store has been backed up.

    • Select the Age limit for all folders in this store (days) check box and enter a value for the maximum age for items in this public store.

  12. Set the following options on the Full-Text Indexing (Policy) tab: Use the Update interval drop-down list to select a time for updating the index or select Customize to create a custom schedule.

    • Use the Rebuild interval drop-down list to select a time for rebuilding the index or select Customize to create a custom schedule.

  13. Use the Administrative note field on the Details tab to enter additional information about the policy.

  14. Select OK when finished.

Creating a mailbox store policy

The following procedure can be used to create a new mailbox store policy.

  1. Start the System Manager from the Windows 2000 Start menu by selecting Programs   Microsoft Exchange   System Manager.

  2. Open the Administrative Groups container.

  3. Before you can add a new mailbox store policy, you must first have a container for System Policies. If the System Policies container does not already exist, right-click the administrative group container and select New   System Policy Container.

  4. Right-click on the System Policy container and select New   Mailbox Store Policy to display the New Policy window (see Figure 2.10).


    Figure 2.10: The New Policy window

  5. Select the check box for the properties tabs that you want to create and then select OK to display the Properties window for the new policy.

  6. On the General tab of the Properties window, enter a name for the mailbox store policy.

  7. Select the General (Policy) tab (Figure 2.11).

    click to expand
    Figure 2.11: The General (Policy) tab of the Mailbox Store Policy Properties window

  8. Set the following options on the General (Policy) tab:

    • Select the Default public store that will be used by users with mailboxes in this mailbox store.

    • Select the Offline address list that will be used by users with mailboxes in this mailbox store.

    • Select the Archive all messages sent or received by mailboxes on this store check box and enter the location where messages will be archived.

    • Select Clients support S/MIME signatures if your mail clients are using S/MIME.

    • Select Display plain text messages in a fixed-sized font to convert incoming messages to a fixed font.

  9. Set the following options on the Database (Policy) tab:

    • Use the Maintenance interval drop-down list to select a time for running the database maintenance process or select Customize to create a custom maintenance schedule.

  10. Select the Limits (Policy) tab (Figure 2.12).

    click to expand
    Figure 2.12: The limits (Policy) tab of the Mailbox Store Policy Properties window

  11. Set the following options on the Limits (Policy) tab:

    • Select the Issue warning at (KB) check box and enter a value to send a warning when the storage space used reaches the specified size.

    • Select the Prohibit send at (KB) check box and enter a value to prohibit sending new messages when the storage space used reaches the specified size.

    • Select the Prohibit send and receive at (KB) check box and enter a value to prohibit sending and receiving new messages when the storage space used reaches the specified size.

    • Use the Warning message interval drop-down list to select a time for checking storage limits or select Customize to create a custom schedule.

    • Enter a value in the Keep deleted items for (days) field to specify the maximum number of days that items can remain in the mailbox store.

    • Enter a value in the Keep deleted mailboxes for (days) field to specify the maximum number of days that deleted mailboxes can remain in the mailbox store.

    • Select the Do not permanently delete mailboxes and items until the store has been backed up check box to keep deleted items until the mailbox store has been backed up.

  12. Set the following options on the Full-Text Indexing (Policy) tab:

    • Use the Update interval drop-down list to select a time for updating the index or select Customize to create a custom schedule.

    • Use the Rebuild interval drop-down list to select a time for rebuilding the index or select Customize to create a custom schedule.

  13. Use the Administrative note field on the Details tab to enter additional information about the policy.

  14. Select OK when finished.

Applying policies to objects

After you create a policy, you must apply it to objects of the appropriate type. The following procedure can be used to apply policies to objects. This procedure uses the example of applying a mailbox store policy to a mailbox store object, however, a similar procedure can be used for server policies or public store policies.

  1. Start the System Manager from the Windows 2000 Start menu by selecting Programs   Microsoft Exchange   System Manager.

  2. Open the Administrative Groups container.

  3. Open the administrative group containing the policy you want to apply.

  4. Open the System Policies container.

  5. Right-click on the policy you want to apply and select Add Mailbox Store.

  6. Select a mailbox store object from the list of mailbox stores in the top section of the window, and then select Add (Figure 2.13).

    click to expand
    Figure 2.13: Policy item selection

  7. Select OK when finished.

  8. A dialog box will be displayed asking if you are sure that you want to add the item to this policy. Select Yes.

  9. If another policy has already been applied to the object, another dialog box will be displayed asking if you want to remove the object from the other policy. Click Yes.

Removing a policy from an object

The following procedure can be used to remove a system policy from an object.

  1. Start the System Manager from the Windows 2000 Start menu by selecting Programs   Microsoft Exchange   System Manager.

  2. Open the Administrative Groups container.

  3. Open the administrative group containing the policy you want to remove.

  4. Open the System Policies container.

  5. Select the policy you want to remove.

  6. In the right hand System Manager window, right-click on the object to remove and select Remove from policy (Figure 2.14).

    click to expand
    Figure 2.14: Removing a policy from an object

  7. A dialog box will be displayed advising you that this item will be removed from the control of the policy. Select Yes to remove the policy from this object.

Copying policy objects between administrative groups

The following procedure can be used to copy a policy from a policy container in one administrative group to a policy container in another administrative group.

  1. Start the System Manager from the Windows 2000 Start menu by selecting Programs   Microsoft Exchange   System Manager.

  2. Open the Administrative Groups container.

  3. Open the administrative group containing the policy you want to copy.

  4. Open the System Policies container.

  5. Right-click on the policy you want to copy and select Copy.

  6. Open the target administrative group.

  7. Right-click on the target System Policies container and select Paste.

  8. Right-click on the target System Policies container and select Refresh to display the policy in the target container.

Moving policy objects between administrative groups

The following procedure can be used to move a policy from a policy container in one administrative group to a policy container in another administrative group.

  1. Start the System Manager from the Windows 2000 Start menu by selecting Programs   Microsoft Exchange   System Manager.

  2. Open the Administrative Groups container.

  3. Open the administrative group containing the policy you want to move.

  4. Open the System Policies container.

  5. Right-click on the policy you want to move and select Move.

  6. Open the target administrative group.

  7. Right-click on the target System Policies container and select Paste.

  8. Right-click on the target System Policies container and select Refresh to display the policy in the target container.

 


Monitoring and Managing Microsoft Exchange 2000 Server
Monitoring and Managing Microsoft Exchange 2000 Server (HP Technologies)
ISBN: 155558232X
EAN: 2147483647
Year: 2000
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net