Using Exchange Administrative Roles with Exchange Store Components
To perform most of the tasks in this topic, you must have at least Exchange Administrator permissions on the administrative group where you are working. For more information about the Exchange administrative roles and the Exchange Administration Delegation Wizard, see "Managing Exchange Server 2003 Permissions."
Use the information in this topic to identify what permissions are involved, and how the Exchange store objects inherit these permissions. This will help you to recognize situations where you may need a different administrative role or different permissions.
The following table summarizes the permissions for the three Exchange administrative roles on Exchange store objects.
Permissions for the Exchange administrative roles on mailbox stores, public folder stores, and public folder trees
| Role | Allowed | Denied |
|---|---|---|
Exchange Full Administrator |
Full Control Additional permissions in Active Directory to allow you to work with deleted items and offline address lists |
Receive-As Send-As |
Exchange Administrator |
All except Change Permissions Additional permissions in Active Directory to allow you to work with offline address lists |
Receive-As Send-As |
Exchange View Only Administrator |
Read List object List contents View Information Store Status |
None |
The following figure summarizes how mailbox stores, public folder stores, and public folder trees inherit permissions.
Direction of inheritance of permissions for Exchange Full Administrators, Exchange Administrators, or Exchange View Only Administrators
.gif "eef25149-5833-46fc-a5de-286c41ae94d2")
As Figure 7.1 shows, objects in the Exchange store inherit permissions from their administrative group, with the following exceptions:
Delegating Exchange administrative roles on an administrative group gives administrators in those roles limited permissions on mailboxes—enough to create or delete mailboxes, and set options such as storage limits.
A public folder inherits some administrative permissions from the public folder tree where it resides. It does not inherit permissions from the public folder store.
Administrative rights on a public folder include many folder-specific permissions that are not available on the public folder tree. For example, although an Exchange Administrator cannot modify the permissions on a public folder tree, the administrator can modify permissions on a public folder in that tree.
Note
For an administrator to apply a system policy to a store, the administrator must have the appropriate permissions on both the System Policies container and on the target store. If you are using a distributed administration model with multiple administrative groups that have separate administrators, each administrator will be able to interact only with the stores in that administrator's own administrative group.
Important
Public folder trees and their public folders can only be administered in the administrative group where they were created, even though you can replicate folders in the tree to multiple administrative groups. If you are using a distributed administration model with multiple administrative groups that have separate administrators, each administrator can work with the public folder stores in that administrator's own administrative group, but may not have access to the public folders that those stores support.