Managing and Troubleshooting Permissions

An administrative group is a collection of Exchange Server 2003 objects, such as servers, routing groups, public folder hierarchies, and policies. These objects are collected together so that they can be managed and permissions to them can be delegated.

Administrative groups allow permissions to be delegated to individual administrators. One set of servers can be managed by one set of administrators by delegating permissions while another set of servers can be managed by a separate group of administrators via the same process.

The default administrative group is the First Administrative group. The first Exchange server installed is always added to this group. Unless other administrative groups are created, all subsequent installed Exchange servers are added to the First Administrative group. If more administrative groups have been created, the Exchange Server 2003 setup process prompts to determine the administrative group to which the server should be added.

Administrative groups are not displayed by default in the Exchange System Manager. Before you are able to create more administrative groups, you must edit the properties of the organization object and select the Display Administrative Groups option. After the administrative groups are displayed, new administrative groups can be created by right-clicking on the Administrative Groups node in the Exchange System Manager and selecting New Administrative Group. After the group is created, you need to create a new System Policy container. You can then drag policies from the First Administrative group to the new administrative group.

Exchange Administrative Permissions

Permissions enable administrators to perform their day-to-day administrative tasks on Exchange Server 2003. Administrative permissions are granted by delegating permissions to Exchange objects.

The Exchange Administration Delegation Wizard is used to grant particular administrative permissions to users or groups within the Exchange organization. To use the Exchange Administration Delegation Wizard, you must have Exchange Full Administrator permissions at the organizational level.

The Exchange Administration Delegation Wizard can be initiated from the organization object or from the administrative group objects. The location from which you initiate the wizard determines the objects for which permissions can be delegated. If the wizard is initiated from the organization object, permissions delegated propagate down the entire hierarchy to all objects in the organization. If the wizard is started from a particular administrative group object, delegated permissions propagate only to all of the objects within that administrative group. It is better to delegate roles to groups rather than to individual users. That way, if you want to change the users who have the role delegated, you only have to change the membership of the group rather than having to run the delegation wizard again.

Three different roles can be delegated via the Exchange Administration Delegation Wizard, as shown in Figure 9.5.

These roles are

• Exchange Full Administrator Groups delegated this role are able to administer all aspects of Exchange. They are able to add, delete, and rename objects as well as run the Exchange Administration Delegation Wizard to modify permissions. This role should be used as sparingly as possible.

• Exchange Administrator Groups delegated this role can administer Exchange system information, but they cannot delegate permissions. This role best suits those who administrate Exchange on a day-to-day basis, and members of a group with this permission can add, delete, and rename objects.

• Exchange View Only Administrator Groups delegated this role can view Exchange configuration information. This role is suitable for administrators who do not need to modify Exchange objects.

Roles delegated by the Exchange Administration Delegation Wizard do not form the be all and end all of setting Exchange permissions. An administrator who has write permissions for objects within an organization must also be a member of the local Administrators group on the computer hosting Exchange Server 2003. Such a permission cannot be delegated via Exchange. Either the Exchange administrator must be added to the Domain Admins group or the administrator must be added to another group that is a member of the local Administrators group on the necessary computers hosting Exchange. Unless your Exchange administrators are also domain administrators, you should create a Universal group in the forest and add it to the local Administrators group on each of the Exchange servers. You can then grant local administrator access by adding the appropriate user account to this domain group.

Advanced Security Permissions

As we discussed in the preceding section, when using the Exchange Administration Delegation Wizard, depending on where the delegation occurs (at the organizational or at the administrative group level), permissions propagate down to all objects located underneath.

These inheritable permissions can be modified, just as they can be with the NTFS file system. To stop permissions from parent objects propagating down to child objects, edit the properties of an object, navigate to the Security tab, and click the Advanced button. From there, you can remove the permissions that have been inherited from the parent object. The advanced permissions are shown in Figure 9.6. Advanced permissions can also be configured using the ADSI Edit console. The ADSI Edit console allows you to edit objects stored within Active Directory. This is an extremely complex method of editing permissions and should only be attempted if you have experience with the ADSI Edit console.

Figure 9.6. The advanced permissions of an Active Directory object.