Share via


Organization Management

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

The Organization Management management role group is one of several built-in role groups that make up the Role Based Access Control (RBAC) permissions model in Microsoft Exchange Server 2010. Role groups are assigned one or more management roles that contain the permissions required to perform a given set of tasks. The members of a role group are granted access to the management roles assigned to the role group. For more information about role groups, see Understanding Management Role Groups.

Administrators that are members of the Organization Management role group have administrative access to the entire Microsoft Exchange Server 2010 organization and can perform almost any task against any Exchange 2010 object, with some exceptions. By default, members of this role group can't perform mailbox searches and management of unscoped top-level management roles. For more information, see the "Delegating Only Role Assignments" section later in this topic.

Important

The Organization Management role group is a very powerful role and as such, only users or universal security groups (USGs) that perform organizational-level administrative tasks that can potentially impact the entire Exchange organization should be members of this role group.

This role group is equivalent to the Exchange Organization Administrators role in Exchange Server 2007.

For more information about RBAC, see Understanding Role Based Access Control.

Role Group Membership

By default, the account that's used to install Exchange 2010 in the organization is added as a member of the Organization Management role group. This account can then add other members to the role group as needed.

If you want to add or remove members to or from this role group, see the following topics:

By default, only members of the Organization Management role group can add or remove members from this role group. For more information about how to add additional role group delegates, see Add or Remove a Role Group Delegate.

You can use the following command to view a list of users or USGs that are members of this role group.

Get-RoleGroupMember "Organization Management"

For more information about the members of a role group, see View the Members of a Role Group.

Role Group Customization

This role group is assigned management roles by default. The roles that are included are listed in the "Management Roles Assigned to this Role Group" section. You can add or remove role assignments to or from this role group to match the needs of your organization.

The role groups provided with Exchange 2010 are designed to match more granular tasks. By assigning roles to a role group, you enable the members of that role group to perform the tasks associated with the role. For example, the Journaling role enables the management of the Journaling agent and journaling rules. For more information about how roles are assigned to role groups, see Understanding Management Role Assignments.

The roles assigned to this role group are given default management scopes. Management scopes determine what Exchange objects can be viewed or modified by the members of a role group. You can change the scopes associated with assignments between roles and role groups. For example, you might want to do this if you only want members of a role group to be able to change recipients that are under a specific organizational unit or in a specific location. For more information about management scopes, see Understanding Management Role Scopes.

For more information about how to customize this role group, see the following topics:

If you want to create a role group and assign some of the roles that are assigned to this role group to the new role group, see Create a Role Group.

The following are some ways you might want to customize this role:

  • Permissions owner   If the permissions in your organization are controlled by a specific group other than the Exchange administrators, you can create a role group and move the regular and delegating role assignments for the Role Management role to the new role group. Doing so prevents members of the Organization Management role group from managing any RBAC permissions.

  • Active Directory split permissions   If the creation of security principals in your organization, such as user accounts, is controlled by a specific group other than the Exchange administrators, you can create a role group and move the regular and delegating role assignments for the Mail Recipient Creation role and the Security Group Creation and Membership role to the new role group. Doing so prevents members of the Organization Management role group from creating Active Directory objects. They can, however, continue to mail-enable the new Active Directory objects. For more information about split permissions, see Understanding Split Permissions.

Customization Limitations

Any role can be added to or removed from this role group, with the following limitations:

  • Every role must have at least one delegating role assignment to a role group or USG before the delegating role assignment can be removed from this role group.

  • The Role Management role must have at least one regular role assignment to a role group or USG before the regular role assignment can be removed from this role group.

These limitations are intended to help prevent you from inadvertently locking yourself out of the system. By requiring that at least one delegating role assignment exists between every role and one or more role groups or USGs, you will always be able to assign roles to role assignees. By requiring that at least one regular role assignment exists between the Role Management role and one or more role groups or USGs, you will always be able to configure role groups and role assignments.

Important

These limitations require that role groups or USGs be the targets of the delegating and regular role assignments. You can't remove a delegating role assignment or the regular assignment for the Role Management role if the last assignment is to a user.

Delegating Only Role Assignments

Some role assignments between the Organization Management role group and management roles, such as Mailbox Search and Unscoped Role Management, are delegating only role assignments. These roles allow access to sensitive or personal information, such as the contents of mailboxes, or enable the creation of powerful unscoped management roles.

Delegating only role assignments enable members of the Organization Management role group only to assign the associated roles to other role groups, management role assignment policies, users, or USGs. Members of the Organization Management role group aren't given, by default, any permissions that the roles provide. This helps avoid accidental exposure to personal information or accidental elevation of privileges.

Members of the Organization Management role group can, however, assign themselves any role, in effect enabling them to perform any task. For example, a member of the Organization Management role group can assign the Mailbox Search role to the Organization Management role group. After this role assignment is made, members of the Organization Management role group can perform tasks enabled by the Mailbox Search role.

For more information about delegating role assignments, see Understanding Management Role Assignments.

Additional Permissions

The permissions granted to members of the Organization Management role group are primarily determined by the management roles assigned to the role group. However, not all tasks that you need to perform are covered by management roles. Some tasks occur outside of the Exchange management tools, and therefore the RBAC permissions model doesn't apply. For these tasks, permissions are provided by adding the Organization Management role group to the access control lists (ACLs) of certain Active Directory objects.

The following tasks are granted permissions by way of ACLs on Active Directory objects and not by management roles assigned to the Organization Management role group:

  • Running DomainPrep and ForestPrep using Setup.exe

  • Deploying additional servers in the organization

  • Provisioning servers using delegated setup

  • Creating, managing, and deleting top level public folders

  • Managing permissions of top level public folders

To see all permissions granted to the Organization Management role group by way of ACLs, see Exchange 2010 Deployment Permissions Reference.

Management Roles Assigned to This Role Group

The following table lists all the management roles that are assigned to this role group and the following attributes of each role assignment:

  • Regular assignment   Enables members of the role group to access the management role entries made available by the associated management role.

  • Delegating assignment   Gives members of the role group the ability to assign the specified role to other role groups, role assignment policies, users, or USGs.

  • Recipient read scope   Determines what recipient objects members of the role group are allowed to read from Active Directory.

  • Recipient write scope   Determines what recipient objects members of the role group are allowed to modify in Active Directory.

  • Configuration read scope   Determines what configuration and server objects members of the role group are allowed to read from Active Directory.

  • Configuration write scope   Determines what organizational and server objects members of the role group are allowed to modify in Active Directory.

For more information about role assignments and management scopes, see the following topics:

Management roles assigned to this role group

Management role Regular assignment Delegating assignment Recipient read scope Recipient write scope Configuration read scope Configuration write scope

Active Directory Permissions Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Address Lists Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

ApplicationImpersonation Role

 

X

Organization

Organization

None

None

Audit Logs Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Cmdlet Extension Agents Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Database Availability Groups Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Database Copies Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Databases Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Disaster Recovery Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Distribution Groups Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Edge Subscriptions Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

E-Mail Address Policies Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Exchange Connectors Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Exchange Server Certificates Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Exchange Servers Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Exchange Virtual Directories Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Federated Sharing Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Information Rights Management Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Journaling Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Legal Hold Role

X

X

Organization

Organization

OrganizationConfig

None

Mail Enabled Public Folders Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Mail Recipient Creation Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Mail Recipients Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Mail Tips Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Mailbox Import Export Role

 

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Mailbox Search Role

 

X

Organization

Organization

None

None

Message Tracking Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Migration Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Monitoring Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Move Mailboxes Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Organization Client Access Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Organization Configuration Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Organization Transport Settings Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

POP3 and IMAP4 Protocols Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Public Folder Replication Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Public Folders Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Receive Connectors Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Recipient Policies Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Remote and Accepted Domains Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Retention Management Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Role Management Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Security Group Creation and Membership Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Send Connectors Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Support Diagnostics Role

 

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Transport Agents Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Transport Hygiene Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Transport Queues Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Transport Rules Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

UM Mailboxes Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

UM Prompts Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Unscoped Role Management Role

 

X

Organization

Organization

OrganizationConfig

OrganizationConfig

Unified Messaging Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

User Options Role

X

X

Organization

Organization

OrganizationConfig

OrganizationConfig

View-Only Audit Logs Role

X

X

Organization

None

OrganizationConfig

None

View-Only Configuration Role

X

X

Organization

None

OrganizationConfig

None

View-Only Recipients Role

X

X

Organization

None

OrganizationConfig

None

MyBaseOptions Role

 

X

Self

Self

OrganizationConfig

OrganizationConfig

MyContactInformation Role

 

X

Self

Self

OrganizationConfig

OrganizationConfig

MyDiagnostics Role

 

X

Self

Self

OrganizationConfig

OrganizationConfig

MyDistributionGroupMembership Role

 

X

MyGAL

MyGAL

None

None

MyDistributionGroups Role

 

X

MyGAL

MyDistributionGroups

OrganizationConfig

None

MyProfileInformation Role

 

X

Self

Self

OrganizationConfig

OrganizationConfig

MyRetentionPolicies Role

 

X

Self

Self

OrganizationConfig

OrganizationConfig

MyTextMessaging Role

 

X

Self

Self

OrganizationConfig

OrganizationConfig

MyVoiceMail Role

 

X

Self

Self

OrganizationConfig

OrganizationConfig

 © 2010 Microsoft Corporation. All rights reserved.