Because working with Exchange-related Active Directory directory service permissions can be a complex task, it is important that you first understand the changes that have been implemented in Exchange 2007. Therefore, to help you develop a strong planning strategy, check out the following topics:

• Preparing to Deploy Exchange 2007
  
• How to Prepare Active Directory and Domains
  
• Planning for Access to Active Directory
  
• Preparing Legacy Exchange Permissions
  

When Active Directory was introduced in Exchange 2000 Server, we found that many organizations used separate administrators for Exchange and Active Directory. This, of course, meant that there was a need to delegate administrative functions. In these scenarios, operations were decentralized so that separate teams managed aspects of Exchange and Microsoft Windows (Active Directory).

Therefore, in response to feedback from Exchange 2000 customers, we made several changes to the process of managing permissions in Exchange 2003. Specifically, Exchange 2003 provided predefined security roles. These roles were a collection of standardized permissions that could be applied at either the organization level or the administrative group level. But we found that this model presented some of the following limitations:

• A lack of specificity. The Exchange Administrator group was too large, and some customers wanted to manage their security and permissions model at the individual server level.
  
• A perception that the Exchange 2003 security roles only differed in subtle ways.
  
• No clear separation between administration of users and groups by the Windows (Active Directory) administrators and Exchange recipient administrators. For example, to perform Exchange recipient-related tasks, you had to grant Exchange administrators high-level permissions (Account Operator permissions on Windows domains).
  

To address these limitations, we made some changes that will improve the management of your Exchange administrator roles. Exchange 2007 includes the following new or improved features to the Exchange administration and permissions model:

• New administrator roles were created similar to the built-in Windows Server security groups. For more information about these administrator roles, see "Administrator Roles in Exchange 2007" in Permission Considerations.
  
• You can use the Exchange Management Console (formerly called Exchange System Manager) and the Exchange Management Shell to view, add, and remove members from any administrator role.
  
• No access control list (ACL) setting is required when modifying any administrator role membership. These administrator roles will be statically added to the appropriate object ACLs during setup.
  

For detailed information about the differences between the Exchange 2007 and Exchange 2003 permissions models, the new administrator roles, and how to configure your Exchange 2007 permissions, see the following topics:

• Permission Considerations
  
• Configuring Permissions
  

To grant permissions in Exchange 2003, you used the Delegation Wizard in Exchange System Manager. To provide you with more options, Exchange 2007 includes two interfaces in which you can configure and administer your permissions model:

• Exchange Management Console
  
• Exchange Management Shell
  

Exchange Management Console

Exchange Management Shell

To learn more about Exchange 2007 permissions delegation and property sets, check out the following Exchange Team blogs:

• Recipient Permission Delegation in Exchange Server 2007
  
• Property Sets in Exchange Server 2007
  

Note:
The content of each blog and its URL are subject to change without notice.