Share via


Required Permissions to Manage Client Access

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

To perform administrative tasks on a computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed, you must have the required permissions for the user account that you are using to log on. Administrative tasks can be delegated or assigned to users by using Exchange 2007 administrative roles.

Table 1 summarizes the minimum permissions that are required to perform administrative tasks on a Client Access server.

Table 1   Client Access administrator permissions

Task Exchange Organization Administrators Exchange Server Administrators Exchange Recipient Administrators Exchange View-Only Administrators

Get-CASMailbox

 

 

X

 

Set-CASMailbox

 

 

X

 

Get-ClientAccessServer

 

 

 

X

Set-ClientAccessServer

X

 

 

 

New-WebServicesVirtualDirectory

X

 

 

 

Get-WebServicesVirtualDirectory

X

 

 

 

Remove-WebServicesVirtualDirectory

 

X

 

 

Set-WebServicesVirtualDirectory

 

X

 

 

New-AutodiscoverVirtualDirectory

X

 

 

 

Remove-AutodiscoverVirtualDirectory

X

 

 

 

Table 2 summarizes the minimum permissions that are required to perform administrative tasks for Exchange ActiveSync.

Table 2   Exchange ActiveSync administrator permissions

Task Exchange Organization Administrators Exchange Server Administrators Exchange Recipient Administrators Exchange View-Only Administrators

Remove-ActiveSyncDevice

 X

Clear-ActiveSyncDevice

X

New-ActiveSyncVirtualDirectory

X

Remove-ActiveSyncVirtualDirectory

X

Get-ActiveSyncVirtualDirectory

X

Set-ActiveSyncVirtualDirectory

X

Get-ActiveSyncDeviceStatistics

X

Get-ActiveSyncMailboxPolicy

X

New-ActiveSyncMailboxPolicy

X

Set-ActiveSyncMailboxPolicy

X

Remove-ActiveSyncMailboxPolicy

X

Export-ActiveSyncLog

X

Test-ActiveSyncConnectivity

X

Table 3 summarizes the minimum permissions that are required to perform administrative tasks for Microsoft Office Outlook Web Access.

Table 3   Outlook Web Access administrator permissions

Task Exchange Organization Administrators Exchange Server Administrators Exchange Recipient Administrators Exchange View-Only Administrators

New-OwaVirtualDirectory

X

Get-OwaVirtualDirectory

X

Set-OwaVirtualDirectory

X

Remove-OwaVirtualDirectory

X

Table 4 summarizes the minimum permissions that are required to perform administrative tasks for POP3 and IMAP4.

Table 4   POP3 and IMAP4 administrator permissions

Task Exchange Organization Administrators Exchange Server Administrators Exchange Recipient Administrators Exchange View-Only Administrators

Get-POPSettings

X

Set-POPSettings

X

Get-IMAPSettings

X

Set-IMAPSettings

X

Important

Logging on to a computer by using full administrative credentials may pose a security risk to the computer and network. Therefore, as a security best practice, do not log on to a computer by using full administrative credentials when you want to perform routine administrative tasks. Instead, you can use the Secondary Logon service or the Run as command to start applications or additional commands in a different security context without having to log off the computer. The Run as command prompts you to enter different credentials before the application or command can run. For more information about the Run as command, see Using Run as in the Windows Server 2003, Standard Edition online Help.

For More Information

For more information about how to configure permission in Exchange 2007, see Configuring Permissions.

For more information about permission considerations in Exchange 2007, see Permission Considerations.