Export (0) Print
Expand All

Implementing Directory Security and Microsoft Exchange 2000 Server Policies

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
Updated : May 31, 2002

from Chapter 6, Microsoft Exchange 2000 Administrator's Pocket Consultant by William R. Stanek.

In this chapter, you'll learn how to implement directory security and Microsoft Exchange 2000 Server policies. In Active Directory directory service, you manage security by using permissions. Users, contacts, and groups all have permissions assigned to them. These permissions control the resources that users, contacts, and groups have access to. They also control the actions that users, contacts, and groups can perform.

Exchange policies are useful administration tools as well. With policies, you can specify management rules for Exchange systems and Exchange recipients. System policies help you manage servers and information stores. Recipient policies help you manage e-mail addressing.

On This Page

Controlling Exchange Server Administration and Usage

Controlling Exchange Server Administration and Usage

Users, contacts, and groups are represented in Active Directory as objects. These objects have many attributes that determine how the objects are used. The most important attributes are the permissions assigned to the object. Permissions grant or deny access to objects and resources. For example, you can grant a user the right to create public folders but deny that same user the right to view the status of the information store.

Permissions assigned to an object can be applied directly to the object, or they can be inherited from another object. Generally, objects inherit permissions from parent objects. A parent object is an object that is above an object in the object hierarchy. In Exchange 2000 Server, permissions are inherited through the organizational hierarchy. The root of the hierarchy is the Organization node. All other nodes in the tree inherit the Exchange permissions of this node. For example, the permissions on an administrative group folder are inherited from the Organization node.

You can override inheritance. One way to do this is to assign permissions directly to the object. Another way is to specify that the object shouldn't inherit permissions.

Assigning Exchange Server Permissions to Users and Groups

Several security groups have access to and can work with Exchange Server. These groups are Domain Admins, Enterprise Admins, Exchange Domain Servers, Exchange Enterprise Servers, and Everyone.

Domain Admins

Domain Admins are the designated administrators of a domain. Members of this global group can manage user accounts, contacts, groups, mailboxes, and computers. They can also manage messaging features, delivery restrictions, and storage limits. Nevertheless, they are subject to some restrictions in Exchange Server, and they don't have full control over Exchange Server. If a user needs to be an administrator of a local domain and manage Exchange Server, all you need to do is make the user a member of the Domain Admins group. By default, this group is a member of the Administrators group on the Exchange server and its only member is the local user, Administrator.

Enterprise Admins

Enterprise Admins are the designated administrators of the enterprise. Members of this global group can manage objects in any domain in the domain tree or forest. They have full control over Exchange Server and aren't subject to any restrictions. This means that unlike Domain Admins, Enterprise Admins can delete child objects and entire trees in Exchange Server. If a user needs full access to the enterprise and to Exchange Server, make the user a member of the Enterprise Admins group. By default, this group is a member of the Administrators group and its only member is the local user, Administrator.

Exchange Domain Servers

The Exchange Domain Servers group also has a special purpose. Members of this group can manage mail interchange and queues. By default, all computers running Exchange 2000 Server are members of this group, and you shouldn't change this setup. This domain global group is in turn a member of the domain local group Exchange Enterprise Servers.

Exchange Enterprise Servers

Exchange Enterprise Servers is a domain local group that you can use to grant special permissions to all Exchange servers throughout the domain forest. By default, the group has Exchange Domain Servers as its only member.

Everyone

The final group that has Exchange permissions is Everyone. Everyone is a special group whose members are implicitly assigned. Its members include all interactive, network, dial-up, and authenticated users. By default, members of this group can create top-level public folders, sub-folders within public folders, and named properties in the information store.

Understanding Exchange Server Permissions

Active Directory objects are assigned a set of permissions. These permissions are standard Microsoft Windows 2000 permissions, object-specific permissions, and extended permissions.

Table 6-1 summarizes the most common object permissions. Keep in mind that some permissions are generalized. For example, with Read Property and Write Property, Property is a placeholder for the actual property name.

Table 6-1. Common Permissions for Active Directory Objects

Permission

Description

Full Control

Permits reading, writing, modifying, and deleting

List Contents

Permits viewing object contents

Read Property

Permits reading a particular property of an object

Write Property

Permits writing to a particular property of an object

Read All Properties

Permits reading all object properties

Write All Properties

Permits writing all object properties

Delete

Permits deletion of object

Delete Subtree

Permits deletion of object and child objects

Modify Owner

Permits modifying the ownership of the object

Validate Write To …

Permits a particular type of validated write

Extended Write To …

Permits a particular type of extended write

All Validated Writes

Permits all types of validated writes

All Extended Writes

Permits all extended writes

Create Object

Permits creation of a specific object type

Delete Object

Permits deletion of a specific object type

Create All Child Objects

Permits creation of all child objects

Delete All Child Objects

Permits deletion of all child objects

Change Password

Permits changing passwords for the object

Receive As

Permits receive as the object

Reset Password

Permits resetting passwords for the object

Send As

Permits send as the object

Add/Remove Self As Member

Permits adding and removing object as a member

Table 6-2 summarizes Exchange-specific permissions. You use these extended permissions to control Exchange administration and usage. If you want to learn more about other types of permissions, I recommend that you read Chapter 13 of Microsoft Windows 2000 Administrator's Pocket Consultant (Microsoft Press, 2000).

Table 6-2. Extended Permissions for Exchange Server

Permission

Description

Add PF To Admin Group

Permits adding a public folder to an administrative group.

Administer Information Store

Permits administration of the Information Store.

Create Named Properties In The Information Store

Permits creation of named properties in the Information Store.

Create Public Folder

Permits creation of a public folder under a top-level folder.

Create Top-Level Public Folder

Permits creation of a top-level public folder.

Full Store Access

Permits full access to the Information Store.

Mail-Enable Public Folder

Permits mail-enabling a public folder.

Modify Public Folder ACL

Permits modification of the access control list on a public folder.

Modify Public Folder Admin ACL

Permits modification of the admin access control list on a public folder.

Modify Public Folder Deleted Item Retention

Permits modification of the deleted item retention period.

Modify Public Folder Expiry

Permits modification of a public folder's expiration date.

Modify Public Folder Quotas

Permits modification of a quota on a public folder.

Modify Public Folder Replica List

Permits modification of the replication list for a public folder.

Open Mail Send Queue

Permits opening the Mail Send queue and message queuing. The Exchange Servers group must have this permission.

Remove PF From Admin Group

Permits removal of a public folder.

View Information Store Status

Permits viewing the status of the Information Store.

Viewing Exchange Server Permissions

You can view security permissions for Exchange Server by completing the following steps:

  1. Start System Manager, and then right-click the root or leaf level node you want to work with. Permissions are inherited from the Organization node by default. You can change this behavior.

  2. From the pop-up menu, select Properties, and then in the Properties dialog box, click the Security tab, as shown in Figure 6-1.

    Cc722470.exch0601(en-us,TechNet.10).gif

    Figure 6-1: . Use the Security tab to configure object permissions.

    Note: If the Properties option isn't available, you're trying to work with a nonroot or nonleaf node, such as the Recipients, Administrative Groups, or Servers nodes. Expand the node by clicking the plus sign (+), and then select a lower-level node. Note also that for some nodes you view and assign permissions through the Exchange Administration Delegation Wizard. For details see the section of this chapter entitled "Delegating Exchange Server Permissions."

  3. In the Name list box, select the object whose permissions you want to view. The permissions for the object are then displayed in the Permissions list box. If the permissions are shaded, it means the permissions are inherited from a parent object.

Setting Exchange Server Permissions

You can control the administration and usage of Exchange Server in several ways:

  • Globally for an entire organization Set the permissions at the Organization level. Through inheritance, these permissions are then applied to all objects in the Exchange organization.

  • For each server Set the permissions individually for each server in the Exchange organization. Through inheritance, these permissions are then applied to all child nodes on the applicable server.

  • For each storage group Set the permissions at the storage group level. Through inheritance, these permissions are then applied to all mailbox and public folder stores within the storage group.

  • For an individual node Set the permissions on an individual node and disallow auditing inheritance for child nodes.

To set permissions for Exchange Server, follow these steps:

  1. Start System Manager, and then right-click the root or leaf level node you want to work with.

  2. From the pop-up menu, select Properties, and then click the Security tab in the Properties dialog box, as shown previously in Figure 6-1.

  3. Users or groups that already have access to the Exchange node are listed in the Name list box. You can change permissions for these users and groups by selecting the user or group you want to change, and then using the Permissions list box to grant or deny access permissions.

    Note: Inherited permissions are shown in gray. Override inherited permissions by selecting the opposite permission.

    Cc722470.exch0602(en-us,TechNet.10).gif

    Figure 6-2: . Use the Select Users, Computers, Or Groups dialog box to select users, computers, or groups that should be granted or denied access.

    Use the Select Users, Computers, Or Groups dialog box to select the users, computers, or groups for which you want to set access permissions. You can use the fields of this dialog box as follows:

    • Look In To access account names from other domains, click the Look In list box. You should now see a list that shows the current domain, trusted domains, and other resources that you can access. Select Entire Directory to view all the account names in the folder.

    • Name The Name column shows the available accounts of the currently selected domain or resource.

    • Add Add selected names to the selection list.

    • Check Names Validate the user and group names entered into the selection list. This is useful if you type names in manually and want to make sure they're available.

  4. In the Name list box, select the user, computer, or group you want to configure, and then use the fields in the Permissions area to allow or deny permissions. Repeat for other users, computers, or groups.

  5. Click OK when you're finished.

Overriding and Restoring Object Inheritance

To override or stop inheriting permissions from a parent object, follow these steps:

  1. Start System Manager, and then right-click the root or leaf level node you want to work with.

  2. From the pop-up menu, select Properties, and then click the Security tab in the Properties dialog box.

  3. Select or clear Allow Inheritable Permissions From Parent To Propagate To This Object.

Delegating Exchange Server Permissions

At times, you may need to delegate control of Exchange Server without making a user a member of the Domain Admins or Enterprise Admins groups. For example, you may want a technical manager to be able to manage Exchange mailboxes, or you may want your boss to be able to view Exchange settings but not be able to modify settings. The tool you use to delegate control of Exchange Server is the Exchange Administration Delegation Wizard.

Working With the Exchange Administration Delegation Wizard

You use the Exchange Administration Delegation Wizard to delegate administrative permissions at the organization level or the administrative group level. The level of permissions you set is determined by where you start the wizard. If you start the wizard from the organization level, the groups or users that you specify will have administrative permissions throughout the organization. If you start the wizard from the administrative group level, the groups or users that you specify will have administrative permissions for that specific administrative group.

To simplify administration, you should always assign permissions to a group, rather than assigning permissions to individual users. In this way, you grant permissions to additional users simply by making them members of the appropriate group, and you revoke permissions by removing the users from the group.

The Exchange Administration Delegation Wizard lets you assign any of the following administrative permissions to users and groups:

  • Exchange Full Administrator Allows users or groups to fully administer Exchange system information and modify permissions. Grant this role to users who need to configure and control access to Exchange Server.

  • Exchange Administrator Allows users or groups to fully administer Exchange system information but not to control access or modify persmissions. Grant this role to users or groups who are responsible for the day-to-day administration of Exchange server.

  • Exchange View Only Administrator Allows users or groups to view Exchange configuration information. Grant this role to users or groups that need to view Exchange configuration settings but are not authorized to make changes.

    Note: The Exchange Administration Delegation Wizard controls access to Exchange 2000 Server. It doesn't give a user administrative access to the local machine. If Exchange administrators need to manage services or access the registry or file system on the server itself, you will need to make them local machine administrators for each Exchange Server they need to manage.

When setting permissions at the organization level, users and groups you delegate control to have the permissions shown in Table 6-3.

Table 6-3. Delegating Permissions at the Organization Level

Permission Type

Object

Permissions Granted

Do Permissions Apply to Subcontainers?

Full Administrator

Organization

All except Send As and Receive As permissions

Yes

Full Administrator

Exchange Container

Full Control

Yes

Administrator

Organization

All except Send As and Receive As permissions

Yes

Administrator

Exchange Container

All except Change permissions

Yes

View Only Administrator

Organization

View Information Store Status

Yes

View Only Administrator

Exchange Container

Read, List Object, List Contents

Yes

When setting permissions at the administrative group level, users and groups you delegate control to have the permissions shown in Table 6-4.

Table 6-4. Delegating Permissions at the Administrative Group Level

PermissionType

Object

Permissions Granted

Do Permissions Apply to Subcontainers?

Full Administrator

Organization

Read, List Object, List Contents

Yes

Full Administrator

Administrative group

All except Send As and Receive As

Yes

Full Administrator

Exchange container

Read, List Object, List Contents

No

Full Administrator

Connectors

All except Change permissions

Yes

Full Administrator

Offline Address Lists

Write

Yes

Administrator

Organization

Read, List Object, List Contents

Yes

Administrator

Administrative group

All permissions except Change, Send As, and Receive As

Yes

Administrator

Exchange container

Read, List Object, List Contents

No

Administrator

Offline Address Lists

Write

Yes

View Only Administrator

Organization

Read, List Object, List Contents

No

View Only Administrator

Administrative group

Read, List Object, List Contents, View Information Store Status

Yes

View Only Administrator

Exchange containers

Read, List Object, List Content

Yes (Limited)

Using the Exchange Administration Delegation Wizard

You use the Exchange Administration Delegation Wizard to set permissions by completing the following steps:

  1. After starting System Manager, right-click the organization or administrative group for which you want to delegate administrative permissions, and then click Delegate Control. This starts the Exchange Administration Delegation Wizard.

  2. Click Next.

  3. In Users Or Groups, click Add to grant a new user or group administrative permissions. The Delegate Control dialog box is displayed.

  4. Click Browse. Select the group or user to which you want to grant administrative permissions, and then click OK.

    In the Delegate Control dialog box, use the Role selection menu to choose the administrative role. The options are

    • Exchange Full Administrator

    • Exchange Administrator

    • Exchange View Only Administrator

  5. Click OK. Repeat Steps 3-5 to delegate control to other users or groups.

  6. Click Next, and then click Finish to complete the procedure.

from Microsoft Exchange 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Link
Click to order


Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft