Administrative Groups and Permissions

Exchange Server 2003 permissions are based on the Active Directory permissions model. This means that you can assign permissions to a user or group by object, child object, or object class.

When you create an object in Active Directory, that object inherits its parent’s permissions by default. Inheritance allows permissions to flow down the object hierarchy so that you don’t have to assign permissions to child objects manually. In addition, when you need to change permissions for an entire range of objects, all you need to do is change the permissions for the parent object to make the child objects inherit those permissions automatically.

The permissions model in Exchange Server 2003 gives administrators a large amount of control over how permissions flow to containers and objects. This control is accomplished through customized inheritance, which allows you to specify that only certain objects can inherit permissions. You can specify inheritance for the following:

• This object only

• Inherit only

• This object and subcontainers

• This object and children objects

• Subcontainers only

• Children objects only

• This object, subcontainers, and children objects

• Subcontainers and children objects

By default, members of the Enterprise Admins group have full control over your administrative groups. Members of the Domain Admins group also have significant permissions on these objects. Figure 12-5 shows an Active Directory Services Interface (ADSI) Edit console window that illustrates how these permissions are ultimately inherited from the configuration context. (ADSI Edit is an MMC snap-in.)

Figure 12-5: ADSI Edit console, showing permissions inheritance for administrative groups.

Because Exchange Server 2003 holds much of its information in the configuration partition of Active Directory, your Exchange organization is created in this partition. To Active Directory, the organization object is just another object to which default permissions flow.

If your climate is such that there is a sharp division between the activities of the Exchange administrators and the domain administrators, you’ll need to create an Exchange Admins group and give this group full control over all aspects of your Exchange organization, and limit the depth and scope of permissions for the Domain Admins group. You will have to do this manually for the organization object itself. In addition, you’ll need to block inheritance of permissions from the Active Directory configuration partition and reassign permissions at the organization level for all of your Exchange Server objects.