Changes in the Administration and Permissions Model

By Kweku Ako-Adjei

So, you're ready to upgrade your Microsoft Exchange Server organization from Exchange Server 2003 to Exchange Server 2007? Great. Before you get started, however, make sure that you have a solid planning strategy in place, which includes a clear understanding of the changes made to the administration and permissions model. With Exchange 2007, you now have flexibility in how you assign permissions to administrators. Several changes have also been made to improve the manual permissions configuration you must do to split Exchange permissions from other administrative permissions.

To help you with these changes, this article guides you through the recommended steps, including links to the appropriate documents that provide detailed information about the new administration and permissions model.

Getting Ready for the Changes

Because working with Exchange-related Active Directory directory service permissions can be a complex task, it is important that you first understand the changes that have been implemented in Exchange 2007. Therefore, to help you develop a strong planning strategy, check out the following topics:

• Preparing to Deploy Exchange 2007

• How to Prepare Active Directory and Domains

• Planning for Access to Active Directory

• Preparing Legacy Exchange Permissions

Why We Made the Changes

When Active Directory was introduced in Exchange 2000 Server, we found that many organizations used separate administrators for Exchange and Active Directory. This, of course, meant that there was a need to delegate administrative functions. In these scenarios, operations were decentralized so that separate teams managed aspects of Exchange and Microsoft Windows (Active Directory).

Therefore, in response to feedback from Exchange 2000 customers, we made several changes to the process of managing permissions in Exchange 2003. Specifically, Exchange 2003 provided predefined security roles. These roles were a collection of standardized permissions that could be applied at either the organization level or the administrative group level. But we found that this model presented some of the following limitations:

• A lack of specificity. The Exchange Administrator group was too large, and some customers wanted to manage their security and permissions model at the individual server level.

• A perception that the Exchange 2003 security roles only differed in subtle ways.

• No clear separation between administration of users and groups by the Windows (Active Directory) administrators and Exchange recipient administrators. For example, to perform Exchange recipient-related tasks, you had to grant Exchange administrators high-level permissions (Account Operator permissions on Windows domains).

New Administration Model

To address these limitations, we made some changes that will improve the management of your Exchange administrator roles. Exchange 2007 includes the following new or improved features to the Exchange administration and permissions model:

• New administrator roles were created similar to the built-in Windows Server security groups. For more information about these administrator roles, see "Administrator Roles in Exchange 2007" in Permission Considerations.

• You can use the Exchange Management Console (formerly called Exchange System Manager) and the Exchange Management Shell to view, add, and remove members from any administrator role.

• No access control list (ACL) setting is required when modifying any administrator role membership. These administrator roles will be statically added to the appropriate object ACLs during setup.

For detailed information about the differences between the Exchange 2007 and Exchange 2003 permissions models, the new administrator roles, and how to configure your Exchange 2007 permissions, see the following topics:

• Permission Considerations

• Configuring Permissions

New Administrative Tools

To grant permissions in Exchange 2003, you used the Delegation Wizard in Exchange System Manager. To provide you with more options, Exchange 2007 includes two interfaces in which you can configure and administer your permissions model:

• Exchange Management Console

• Exchange Management Shell

Exchange Management Console

There are a couple of ways you can use the Exchange Management Console to configure and administer permissions. To grant permissions, you use the Add Exchange Administrator wizard. Also, you can use the console itself to view and modify administrator roles and membership, and to view and modify permissions for users and groups.

For detailed information about these tasks, see the following topics:

• Using the Exchange Management Console

• New User's Guide to the Exchange Management Console

• How to Remove a User or Group from an Administrator Role

• How to Add a User or Group to an Administrator Role

• How to View the Administrator Roles for Users and Groups

• How to Modify Permissions for Users and Groups

Exchange Management Shell

You can also now use the Exchange Management Shell to configure and administer permissions. New in Exchange 2007, the Exchange Management Shell is a powerful management interface, built on Microsoft Windows PowerShell technology. You can use the Exchange Management Shell to perform every task available in the Exchange Management Console, as well as other tasks.

For detailed information about the Exchange Management Shell and how to use it to configure and administer permissions, see the following topics:

• Using the Exchange Management Shell

• A Primer on the Exchange Management Shell

• Add-ADPermission

• Get-ADPermission

• Remove-ADPermission

For More Information

To learn more about Exchange 2007 permissions delegation and property sets, check out the following Exchange Team blogs:

• Recipient Permission Delegation in Exchange Server 2007

• Property Sets in Exchange Server 2007

Kweku Ako-Adjei - Technical Writer, Microsoft Exchange Server