Recipe4.9.Delegating Administrative Control

Recipe 4.9. Delegating Administrative Control

Problem

You want to delegate control over Exchange Server administrative functions to a user or group in your organization.

Solution

Using a graphical user interface

1. Launch the Exchange System Manager (Exchange System Manager.msc).

2. Right-click the organization object and select Delegate Control.

3. At the Exchange Administration Delegation Wizard welcome screen, click Next.

4. To add users or groups to whom you'd like to delegate administrative access, click Add. Click Browse and type the name of the user or group being granted access. Click OK.

5. Select the role you wish to grant: Exchange Administrator, Full Administrator, or View-Only Administrator, and click OK.

6. Click Next, then click Finish. You have successfully delegated an administrative role to the specified user(s) or group(s).

Discussion

Exchange 2000 and Exchange Server 2003 support three distinct administrative roles:

• The Exchange Administrator role allows holders to see and change all Exchange-related settings in ESM. However, holders of this role can't change permissions on Exchange-related objects.

• The Exchange Full Administrator role can do everything Exchange Administrator can, plus it can be used to change permissions.

• The Exchange View-Only Administrator can see settings, but can't make permanent changes.

There's no equivalent of the Exchange 5.5 service account administrator; by design, Microsoft sets the ACEs on mailbox databases to prevent administrators from reading other people's mail without some effort.

The Exchange Delegation Wizard can be used to grant administrative permissions over organizations or administrative groups. It is a good idea to create security groups for the Exchange Administrator, Exchange View Only Administrator, and Exchange Full Administrator roles; you can then add and remove users from these groups as necessary. Putting users in groups, then delegating control to those groups, is the preferred method of delegation. You can delegate to individual users, but this increases the chances that you'll either make a mistake and grant access to the wrong user or that you'll have to go back later and undo the delegation. If a delegation is made in error, you can use the dsrevoke command-line tool to remove it, or you can manually edit the access control lists (ACLs) by hand. In addition to ease of delegation and subsequent permission removal, delegation to groups adds the advantage of requiring fewer access control lists for Active Directory to manage and replicate. As an alternate method, you may choose to customize the Delegation Wizard to control what kinds of permissions are set on which objects; MS KB 308404 explains the process of modifying the delegwiz.inf file to do this, but it's not for the faint of heart.

See Also

MS KB 308404 (How to customize the task list in the Delegation Wizard), MS KB 823018 (Overview of Exchange Administrative Role Permissions in Exchange 2003), and MS KB 316792 (Minimum Permissions Necessary to Perform Exchange-related Tasks), and the dsrevoke tool:

http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383&DisplayLang=en