Recipe 4.9. Delegating Administrative ControlProblemYou want to delegate control over Exchange Server administrative functions to a user or group in your organization. SolutionUsing a graphical user interface
DiscussionExchange 2000 and Exchange Server 2003 support three distinct administrative roles:
There's no equivalent of the Exchange 5.5 service account administrator; by design, Microsoft sets the ACEs on mailbox databases to prevent administrators from reading other people's mail without some effort. The Exchange Delegation Wizard can be used to grant administrative permissions over organizations or administrative groups. It is a good idea to create security groups for the Exchange Administrator, Exchange View Only Administrator, and Exchange Full Administrator roles; you can then add and remove users from these groups as necessary. Putting users in groups, then delegating control to those groups, is the preferred method of delegation. You can delegate to individual users, but this increases the chances that you'll either make a mistake and grant access to the wrong user or that you'll have to go back later and undo the delegation. If a delegation is made in error, you can use the dsrevoke command-line tool to remove it, or you can manually edit the access control lists (ACLs) by hand. In addition to ease of delegation and subsequent permission removal, delegation to groups adds the advantage of requiring fewer access control lists for Active Directory to manage and replicate. As an alternate method, you may choose to customize the Delegation Wizard to control what kinds of permissions are set on which objects; MS KB 308404 explains the process of modifying the delegwiz.inf file to do this, but it's not for the faint of heart. See AlsoMS KB 308404 (How to customize the task list in the Delegation Wizard), MS KB 823018 (Overview of Exchange Administrative Role Permissions in Exchange 2003), and MS KB 316792 (Minimum Permissions Necessary to Perform Exchange-related Tasks), and the dsrevoke tool:
|