Export (0) Print
Expand All
Expand Minimize
This topic has not yet been rated - Rate this topic

There are more than ten administrators delegated at the organizational level

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at http://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2006-12-03

The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the number of users who have permissions as either Exchange Administrators or Exchange Full Administrators. The Exchange Server Analyzer counts the number of entries listed in the msExchAdmins attribute, which represents a link to all Exchange administrators within the organization together with the appropriate permissions. If the Exchange Server Analyzer finds there are more than 10 users with Exchange Administrator and/or Exchange Full Administrator permissions, a warning is displayed.

msExchAdmins is a multi-value attribute of the Exchange root organization container. It contains a list of security identifiers (SIDs) that represent the user accounts with delegated Exchange permissions.

It is a best practice to limit the number of users with write access to the Exchange organization. Consider reducing the number of Exchange Administrators and Exchange Full Administrators at the organization level. By reviewing administrative roles against the requirements of your messaging infrastructure, you may find that you can convert many of these users to Exchange View-only Administrators at the organizational level, while delegating to them the Exchange Administrator role at the Administration Group level.

  1. Consider decreasing the number of users that have Exchange Administrator and/or Exchange Full Administrator permissions.

  2. Consider performing an audit of Exchange Server permissions in your organization to ensure that they are appropriate.

For more information about planning and configuring permissions in Exchange, see:

For more information about administrative roles in Exchange Server 2003, see the Microsoft Knowledge Base article 823018, "Overview of Exchange Administrative Role Permissions in Exchange 2003" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=823018).

For more information about administrative roles in Exchange 2000 Server, see the Knowledge Base article 289811, "XGEN: Exchange 2000 Role Permissions" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=289811).

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.