Permission Considerations

Applies to: Exchange Server 2007 SP1, Exchange Server 2007 Topic Last Modified: 2007-07-12

When planning how to integrate Microsoft Exchange Server 2007 into your Active Directory directory service structure, consider the administrative model in your organization. With Exchange 2007, you have flexibility in how you assign permissions to administrators. Generally, we recommend that you consider how the following capabilities of Active Directory and Exchange 2007 affect the way that you organize your administrative roles:

A single administrator can perform tasks for both Microsoft Windows Server 2003 and Exchange.
You can split permissions between Exchange administrators and Windows administrators.
You can isolate the Exchange administrator roles and the Windows administrator roles by using an Exchange resource forest.

The sections in this topic describe the flexibility of permissions configuration and the administrative roles available in Exchange 2007.

Understanding the Exchange and Active Directory Split Permissions Model

In many Microsoft Exchange organizations, especially in medium and large organizations, there may be more than one Exchange administrator. Because these administrators can perform a specific set of administration tasks, Exchange Server 2007 provides predefined administrator roles and a split permissions model that allow you to configure specific permissions in Active Directory for various administrative roles in your organization. In Exchange 2007, permissions on Exchange recipient attributes are grouped together. This minimizes the manual permission configuration that you must do to split Exchange permissions from other administrative permissions. For more information about how to plan and implement your permissions model, see the following topics:

Changes to the Security and Permission Model

The security and permissions model from Exchange Server 2003 has changed for Exchange 2007. This section provides information about the changes to the Exchange permissions model and describes the differences.

Property Sets

A property set is a grouping of Active Directory attributes. You can control access to this grouping of Active Directory attributes by setting one access control entry (ACE) instead of setting an ACE on each property. The property set that groups all Exchange recipient attributes is called e-mail information.

Note:
Exchange Server 2003 security groups that had permission to access the recipient properties on Exchange Server 2003 servers will have permission to access the Exchange 2007 e-mail information property set, as long as you use Exchange 2007 Setup.Com or Setup.Com with the /PrepareAD parameter to update the Active Directory schema.

For more information on property sets, see Property Sets in Exchange 2007.

Exchange 2003 Security and Permissions Model

To help simplify management of permissions, Exchange Server 2003 provided predefined security roles that were available in the Exchange 2003 Administrative Delegation Wizard. These roles were a collection of standardized permissions that could be applied at either the organization or the administrative group level.

In Exchange 2003, the following security roles were available through the Delegation Wizard in Exchange System Manager:

Exchange Full Administrator
Exchange Administrator
Exchange View Only Administrator

This model had the following limitations:

A lack of specificity. The Exchange Administrator group was too large, and some customers wanted to manage their security and permissions model at the individual server-level.
A perception that the Exchange Server 2003 security roles only differed in subtle ways.
There was no clear separation between administration of users and groups by the Windows (Active Directory) administrators and Exchange recipient administrators. For example, to perform Exchange recipient related tasks, you had to grant Exchange administrators high level permissions (Account Operator permissions on Windows domains).

Exchange 2007 Security and Permissions Model

To improve the management of your Exchange administrator roles, which were called "security groups" in Exchange 2003, the following new or improved features have been made to the Exchange security and permissions model:

New administrator roles that are similar to the built-in Windows Server security groups. For more information about these administrator roles, see "Administrator Roles in Exchange 2007" later in this topic.
You can use the Exchange Management Console (formerly Exchange System Manager) and the Exchange Management Shell to view, add, and remove members from any administrator role.

Administrator Roles in Exchange 2007

Exchange 2007 has the following predefined groups that manage Exchange configuration data:

Exchange Organization Administrators
Exchange Recipient Administrators
Exchange View-Only Administrators
Exchange Public Folder Administrators (New in Exchange Server 2007 Service Pack 1)

During the Exchange Setup /PrepareAD phase (the organization-preparation phase that is similar to Exchange 2003 ForestPrep), these Exchange Administrator roles (except Exchange Server Administrators) are created in a new Microsoft Exchange security group's organizational unit (OU) that is located in the domain where /PrepareAD was run.

When you add an administrator role to a user, that user inherits the permissions that are permitted by that role. These administrator roles have permissions to manage Exchange data in Active Directory. There are three types of Exchange data that can be managed by these groups:

Global Data This is data in an Active Directory configuration container that is not associated with a particular server. This data includes, but is not limited to, mailbox policies, address lists, and Exchange Unified Messaging configuration. Global data generally affects the whole organization and can potentially affect all users. As a best practice, allow only a few trusted users to configure or change global data.
Recipient Data Recipients in Exchange are Active Directory user objects that can receive or send e-mail messages. Examples of recipient data include mail-enabled contacts, distribution groups, mailboxes, and specific recipient types such as public folder proxy objects.
Server Data Exchange server data is contained in Active Directory under the specified server’s node. Examples of this data include receive connectors, virtual directories, per-server settings, and mailbox and storage group data.

Exchange Organization Administrators Role

The Exchange Organization Administrators role gives administrators full access to all Exchange properties and objects in the Exchange organization. During Exchange setup, in the root domain, Setup /PrepareAD creates the Active Directory security group named Exchange Organization Administrators in the Microsoft Exchange Security Groups container of Active Directory Users and Computers.

When you add a user to the Exchange Organization Administrators role, that user becomes a member of the administrator role called Exchange Organization Administrators. Exchange 2007 creates this role during Active Directory preparation. Members of the Exchange Organization Administrators role have the following permissions:

Owners of the Exchange organization in the configuration container of Active Directory. As owners, members of the role have full control over the Exchange organization data in the configuration container in Active Directory and the local Exchange server Administrator group.
Read access to all domain user containers in Active Directory. Exchange grants this permission during setup of the first Exchange 2007 server in the domain, for each domain in the organization. These permissions are granted by being a member of the Exchange Recipient Administrator role.
Write access to all Exchange-specific attributes in all domain user containers in Active Directory. Exchange 2007 grants this permission during setup of the first Exchange 2007 server in the domain, for each domain in the organization. These permissions are granted by being a member of the Exchange Recipient Administrator role.
Owner of all local server configuration data. As owners, members have full control over the local Exchange server. Exchange 2007 grants this permission during setup of each Exchange server.

Users who are members of the Exchange Organization Administrators role have the highest level of permissions in the Exchange organization. All tasks that affect your whole Exchange organization will require membership in this group. Examples of tasks that require Exchange Organization Administrator permissions include creating or deleting connectors, changing server policies, and changing any global configuration settings.

Note:
When you install Exchange 2007, Setup will add the Exchange Organization Administrators role as a member of the local Administrators group on the computer on which you are installing Exchange. Be aware that the local Administrators group on a domain controller has different permissions than the local Administrators group on a member server. If you install Exchange 2007 on a domain controller, the users in the Exchange Organization Administrators role will have additional Windows permissions that they do not have if you install Exchange 2007 on a computer that is not a domain controller.

Note:

When you install Exchange 2007, Setup will add the Exchange Organization Administrators role as a member of the local Administrators group on the computer on which you are installing Exchange. Be aware that the local Administrators group on a domain controller has different permissions than the local Administrators group on a member server. If you install Exchange 2007 on a domain controller, the users in the Exchange Organization Administrators role will have additional Windows permissions that they do not have if you install Exchange 2007 on a computer that is not a domain controller.

Exchange Recipient Administrators Role

The Exchange Recipient Administrators role has permissions to modify any Exchange property on an Active Directory user, contact, group, dynamic distribution list, or public folder object. During Exchange Setup /PrepareAD, the Exchange Recipient Administrator role is created in the Microsoft Exchange Security Groups container in Active Directory. This role also lets you manage Unified Messaging mailbox settings and Client Access mailbox settings. Members of the Exchange Organization Recipient Administrators role have the following permissions:

Read access to all the Domain User containers in Active Directory that have had Setup /PrepareDomain run in those domains.
Write access to all the Exchange specific attributes on the Domain User containers in Active Directory that have had Setup /PrepareDomain run in those domains.
Membership in the Exchange View-Only Administrator role.

Users who are members of the Exchange Recipient Administrators role will not have permissions to Domains where Setup /PrepareDomain has not been run. When you add a new Exchange domain, make sure that you run Setup /PrepareDomain in the new domain to grant permissions to the Exchange administrator roles in that domain.

Exchange Server Administrators Role

The Exchange Server Administrators role has access to only local server Exchange configuration data, either in the Active Directory or on the physical computer on which Exchange 2007 is installed. Users who are members of the Exchange Server Administrators role have permissions to administer a particular server, but do not have permissions to perform operations that have global impact in the Exchange organization.

Exchange 2007 creates this administrator role during setup. Members of the Exchange Server Administrator role have the following permissions:

Owner of all local server configuration data. As owners, members of the role have full control over the local server configuration data.
Local administrator on the computer on which Exchange is installed.
Members of the Exchange View-Only Administrators role.

Exchange View-Only Administrators

The Exchange View-Only Administrators role has read-only access to the whole Exchange organization tree in the Active Directory configuration container, and read-only access to all the Windows domain containers that have Exchange recipients.

During Exchange Setup /PrepareAD, the Exchange View-Only Administrators role is created in the Microsoft Exchange Security Groups container in Active Directory.

Exchange Public Folder Administrators

New in Exchange 2007 Service Pack 1 (SP1)

The Exchange Public Folder Administrators role has administrative permissions to manage all the public folders. This administrator role is granted the "Create top level public folder" extended right. Members of this role can create and delete public folders, and manage public folder settings such as replicas, quotas, age limits, administrative permissions, and client permissions. This administrator role can mail-enable public folders, but it cannot modify mail recipient-related properties on public folders, such as proxy addresses. That capability requires membership in the Exchange Recipient Administrators role.

Summary of Administrator Roles and Permissions

The following table lists the Exchange 2007 administrator roles and their related Exchange permissions.

Administrator role	Members	Member of	Exchange permissions
Exchange Organization Administrators	Administrator, or the account that was used to install the first Exchange 2007 server	Exchange Recipient Administrator Administrators local group of <Server Name>	Full control of the Microsoft Exchange container in Active Directory
Exchange Recipient Administrators	Exchange Organization Administrators	Exchange View-Only Administrators	Full control of Exchange properties on Active Directory user object
Exchange Server Administrators		Exchange View-Only Administrators Administrators local group of <Server Name>	Full control of Exchange <Server Name>
Exchange View-Only Administrators	Exchange Recipient Administrators Exchange Public Folder Administrators	Exchange Recipient Administrators Exchange Server Administrators	Read access to the Microsoft Exchange container in Active Directory. Read access to all the Windows domains that have Exchange recipients.
Exchange Servers	Each Exchange 2007 computer account	Exchange View-Only Administrators	Special
Exchange Public Folder Administrators	Exchange Organization Administrators	Exchange View-Only Administrators	Ability to administratively manage public folders.

Address Book Attributes

Exchange uses many attributes to store Exchange data. Exchange also uses other recipient attributes that can be used by other directory-aware applications that use the Exchange data. Therefore, these attributes were not added to the Exchange-specific property sets. These attributes may reside in other property sets created during Active Directory installation or they may not belong to any property set.

The attributes listed in the following table are the data that is provided to end-users via Microsoft Office Outlook in the Global Address List (GAL). If an Exchange administrator requires the ability to update these attributes and is not a member of a domain privileged security group, such as the Account Operators group, the Active Directory administrator must grant read/write permission.

Applies to object	Exchange Management Console location	Attribute	Description
User, Contact	User Information or Contact Information tab in User or Contact properties	givenName	First name
User, Contact	User Information or Contact Information tab in User or Contact properties	initials	Middle initial
User, Contact	User Information or Contact Information tab in User or Contact properties	sn	Last name
User, Contact	User Information or Contact Information tab in User or Contact properties	info	Notes field
User, Contact	Address and Phone tab in User or Contact properties	streetAddress	Street address
User, Contact	Address and Phone tab in User or Contact properties	l	City
User, Contact	Address and Phone tab in User or Contact properties	st	State/Province
User, Contact	Address and Phone tab in User or Contact properties	postalCode	ZIP/Postal code
User, Contact	Address and Phone tab in User or Contact properties	countryCode	Country/Region
User, Contact	Address and Phone tab in User or Contact properties	telephoneNumber	Business phone
User, Contact	Only available in the Exchange Management Shell	otherTelephoneNumber	Alternative business phone
User, Contact	Address and Phone tab in User or Contact properties	pager	Pager
User, Contact	Address and Phone tab in User or Contact properties	facsimileTelephoneNumber	Fax
User, Contact	Address and Phone tab in User or Contact properties	homePhone	Home phone
User, Contact	Only available in the Exchange Management Shell	otherHomePhone	Alternative home phone
User, Contact	Address and Phone tab in User or Contact properties	mobile	Mobile phone
User, Contact	Only available in the Exchange Management Shell	otherfacsimileTelephoneNumber	Alternative fax
Contact	Only available in the Exchange Management Shell	telephoneAssistant	Assistant phone
Contact	Active Directory Service Interfaces (ADSI) Edit/LDAP	telephoneAssistant	Assistant phone
User, Contact	Organization tab in User or Contact properties	title	Title
User, Contact	Organization tab in User or Contact properties	company	Company
User, Contact	Organization tab in User or Contact properties	department	Department
User, Contact	Organization tab in User or Contact properties	physicalDeliveryOfficeName	Office
User, Contact	Organization tab in User or Contact properties	manager	Manager
User, Contact	Organization tab in User or Contact properties	directReports	Direct reports
User, Contact	Only available in the Exchange Management Shell	msExchAssistantName	Assistant name
Group	Group Information tab in Group properties	managedBy	Group owner
Group	Group Information tab in Group properties	info	Notes field

For More Information

For information about how to delegate permissions by using the Exchange administrative roles, see Add-ExchangeAdministrator.

For information about how to prepare Active Directory and your domains for Exchange 2007, see How to Prepare Active Directory and Domains.