Exchange Server 2003 Management

  • Article

 

What permissions do I need to be able to create and delete Exchange Server 2003 users?

If you are responsible for both user and mailbox management, you need to have permissions to create a user object in Active Directory. For example, you could be a Domain Admin, Account Operator, or you might have delegated access to a specific organization unit. In addition, you need the following Exchange permission:

  • The Exchange View Only Administrator role to the administrative group where the target Exchange Server 2003 server exists.

If you are responsible for mailbox-enabling users post-account creation, you can use a reduced set of permissions (in addition to the Exchange View Only Administrator).

Additionally, if you manage public folder objects, it is recommended that the administration account (that is, the account that you log on as when you manipulate objects in the Exchange System Manager) is mail-enabled or mailbox-enabled. In some cases, odd behavior in the permissioning user interface, as well as display name resolution errors may occur if the account administering public folder objects is not mailbox or mail-enabled.

For more information, see "Other Problems" under the topic "Troubleshooting and Repairing Exchange Server 2003 Store Problems" in Working with Exchange Server 2003 Stores (https://go.microsoft.com/fwlink/?LinkId=47595).

What permissions do I need to be able to modify a user object's mailbox rights?

For an Exchange Administrator to properly modify a user or inetOrgPerson object's mailbox rights by means of the Mailbox Rights button on the Exchange Advanced tab of the Active Directory Users and Computers snap-in, you must have the following rights:

  • Exchange View-Only Administrator role delegated on the target administrative group

  • Administer Information Store right granted on the mailbox store where the mailbox resides

For more information about modifying mailbox rights, see Microsoft Knowledge Base article 330475 "You need full mailbox access to change mailbox rights after you install Exchange 2000 SP3." This behavior was changed in Service Pack 2 for Exchange 2000 Server. However, an issue arose in Service Pack 3; therefore, to fully administer mailbox rights, you should install at least the Exchange 2000 Server Post-SP3 Rollup. For more information about the Post-SP3 release, see Microsoft Knowledge Base article 836488, "April 2004 Exchange 2000 Server post-Service Pack 3 update rollup."

What permissions do I need to be able to move a mailbox between Exchange mailbox stores?

The move mailbox functionality accessible from the Active Directory Users and Computers snap-in logs onto the source mailbox and moves the folders and messages to the destination mailbox. You can move mailboxes between mailbox stores in the same storage group, across different storage groups on the same server, between Exchange servers in the same administration group, or between Exchange servers in different administrative groups (Exchange Organization must be at Native Mode). You will need to have permissions on the user object in Active Directory to modify its Exchange mailbox attributes; a user who is an Account Operator will have these permissions. Additionally, you will require:

  • Exchange Administrator role on the administrative group where the source and destination server running Exchange Server 2003 exists.

  • Member of the Administrators group on the local workstation/server (to create a dynamic MAPI profile).

Why does Exchange View Only Administrator require the right to create objects in the global namespace for Exchange Server 2003 Service Pack 1?

When Service Pack 1 (SP1) for Exchange Server 2003 is running on Windows 2000 Server SP4 (or later) or Windows Server 2003, Exchange System Manager creates objects in the computer's global namespace. As a result, any administrator who is using Exchange System Manager must have the Create Global Objects right (SE_CREATE_GLOBAL_NAME) on the server. By default, local administrator accounts have this right. However, if the user's account has Exchange View Only Administrator rights but does not have local administrator rights on the computer, the user receives an error. This situation typically occurs when a user uses Terminal Services to access Exchange System Manager on another server for which the user is not a local administrator.

To avoid this error, you can either add the user to the local administrators group, or you can grant the Create Global Objects right to the user. To grant this right, log on to the local computer using an account that is a member of the Administrator's group, and then grant this right to the user account in Local Security Settings.

The Create Global Objects right does not exist in Windows 2000 Server SP3 (or earlier) or Windows XP. For these operating systems, no action is necessary.

What permissions do I need to be able to move a mailbox from Exchange Server 5.5 to Exchange 2000 Server or Exchange Server 2003 in the same site or administrative group?

When you use Active Directory Users and Computers, the mailbox is transferred between the two servers, and then the current credentials are used to update the Home-MTA and Home-MDB attributes on the user and mailbox object.

You need the following permissions:

  • Exchange Server 5.5

    • Admin on the Site naming context

    • Admin on the Configuration naming context

  • Active Directory

    • Either a member of the Domain Admins or the Account Operators group in the local domain, or the appropriate attribute-level permissions.

    • Exchange Administrator role on the administrative group where the target Exchange Server 2003 server exists

What permissions do I need to create a new administrative group?

To create a new administrative group, you need to be logged on to Active Directory as a user with the following permission:

  • Exchange Administrator role at the Exchange organization level

What permissions do I need to run the Active Directory Account Cleanup Wizard (ADclean.exe)?

The administrator who uses ADclean.exe needs the following permissions in Active Directory:

  • On the source object

    • Read and delete permissions in the organizational unit or container

  • On the target object

    • Write and modify permissions in the organizational unit or container

ADclean.exe modifies almost all of the attributes on the target object; therefore, it is recommended that the administrator who runs the tool be a member of the Domain Admins group of the target domain.

What permissions do I need to be able to create a new Mailbox/Public Folder Store and/or Storage Group?

You need to be logged on with the following permissions:

  • Exchange Administrator to the administrative group where the Exchange server resides.

What permissions do I need to be able to look at the Status node in the Exchange System Manager and perform Message Tracking?

You need at least the Exchange View Only Administrator role to the Administrative Group(s) where tracking will take place. In large, multi-Administrative Group installations, it is recommended to give message tracking staff the Exchange View Only Administrator role at the Organization level because a single message track may include servers from any Administrative Group.

Be aware that in Exchange 2000 Server 'Everyone' has read permissions to the message tracking log share on each Exchange server. If the administrator enables subject line logging, user data may be exposed. However, in Exchange Server 2003, the permissions on the message tracking log share have been restricted to the local Administrators group by default. For an added layer of security, you should further restrict the message tracking log by creating a security group of authorized personnel and allowing only that security group read access to the logs.

If a user wants to perform message tracking on an Exchange server that is running Windows Server 2003, but the user does not have administrative permissions, you must grant the following WMI permissions to the account:

  • Execute Methods

  • Provider Write

  • Enable Account

  • Remote Enable

Note

You must apply these permissions to each Exchange server where you want to track a message.

For more information about how to grant WMI permissions to user accounts or groups that will perform message tracking, see How to Grant WMI Permissions for Message Tracking.

What permissions do I need to be able to configure routing groups and connectors?

When you configure routing groups and connectors, you are not directly affecting user account objects; therefore, you only need the following permission:

  • Exchange Administrator role to the administrative group where the new routing group or connector will exist.

    Note

    Routing group connectors are unidirectional. To create a bidirectional routing group connector to a routing group that is outside of the local administrative group, you also need to have Exchange Administrator permissions to the remote administrative group.

If you need to define the global message formats for specific outbound domains or need to specify global message thresholds, you need the following permission:

  • Exchange Administrator role on the Exchange organization

What permissions do I need to start and stop an Internet Protocol virtual server (for example, Simple Mail Transfer Protocol)?

You need either of the following permissions:

  • If you are starting or stopping the service from Exchange System Manager, you need Exchange Administrator role on the administrative group where the virtual server exists.

  • For stand-alone Exchange Servers: If you are starting or stopping the service from the Services MMC snap-in, you need to be a member of the local Administrators group on the stand-alone Exchange server.

  • For Exchange Virtual Servers: If you are starting or stopping the service from the Cluster Administrator, you need to be a member of the local Administrators group (or have been delegated permissions to the cluster) on the Exchange Virtual Server.

What permissions do I need to view the Current Sessions on an SMTP virtual server?

To view the current SMTP sessions you need the following permissions:

  • Member of the local Administrators group on the Exchange server

What permissions do I need to be able to manipulate message queues?

To view the message queues in the Exchange System Manager, you need the following permissions:

  • Exchange View Only Administrator role on the administrative group where the virtual server exists

  • Exchange View Only Administrator role on the administrative group where the routing group for the virtual server exists.

To remove messages from queues, you need either of the following permissions:

  • Exchange Administrator role on the administrative group where the virtual server exists

  • Member of the local Administrators group on the Exchange server

What permissions do I need to create, manage, and delete content indices?

To manage content indices, you need the following permissions:

  • Member of the local Administrators group on the Exchange server

  • Exchange Administrator role on the administrative group where the server exists.

What permissions do I need to apply a system policy?

To apply system policies, you need the following permissions:

  • Exchange Administrator role on the administrative group where the system policy exists

  • Exchange Administrator role on the administrative group where the server or store exists