Implementing Directory Security and Microsoft Exchange 2000 Server Policies
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Updated : May 31, 2002
from Chapter 6, Microsoft Exchange 2000 Administrator's Pocket Consultant by William R. Stanek.
In this chapter, you'll learn how to implement directory security and Microsoft Exchange 2000 Server policies. In Active Directory directory service, you manage security by using permissions. Users, contacts, and groups all have permissions assigned to them. These permissions control the resources that users, contacts, and groups have access to. They also control the actions that users, contacts, and groups can perform.
Exchange policies are useful administration tools as well. With policies, you can specify management rules for Exchange systems and Exchange recipients. System policies help you manage servers and information stores. Recipient policies help you manage e-mail addressing.
On This Page
Controlling Exchange Server Administration and Usage
Controlling Exchange Server Administration and Usage
Users, contacts, and groups are represented in Active Directory as objects. These objects have many attributes that determine how the objects are used. The most important attributes are the permissions assigned to the object. Permissions grant or deny access to objects and resources. For example, you can grant a user the right to create public folders but deny that same user the right to view the status of the information store.
Permissions assigned to an object can be applied directly to the object, or they can be inherited from another object. Generally, objects inherit permissions from parent objects. A parent object is an object that is above an object in the object hierarchy. In Exchange 2000 Server, permissions are inherited through the organizational hierarchy. The root of the hierarchy is the Organization node. All other nodes in the tree inherit the Exchange permissions of this node. For example, the permissions on an administrative group folder are inherited from the Organization node.
You can override inheritance. One way to do this is to assign permissions directly to the object. Another way is to specify that the object shouldn't inherit permissions.
Assigning Exchange Server Permissions to Users and Groups
Several security groups have access to and can work with Exchange Server. These groups are Domain Admins, Enterprise Admins, Exchange Domain Servers, Exchange Enterprise Servers, and Everyone.
Domain Admins
Domain Admins are the designated administrators of a domain. Members of this global group can manage user accounts, contacts, groups, mailboxes, and computers. They can also manage messaging features, delivery restrictions, and storage limits. Nevertheless, they are subject to some restrictions in Exchange Server, and they don't have full control over Exchange Server. If a user needs to be an administrator of a local domain and manage Exchange Server, all you need to do is make the user a member of the Domain Admins group. By default, this group is a member of the Administrators group on the Exchange server and its only member is the local user, Administrator.
Enterprise Admins
Enterprise Admins are the designated administrators of the enterprise. Members of this global group can manage objects in any domain in the domain tree or forest. They have full control over Exchange Server and aren't subject to any restrictions. This means that unlike Domain Admins, Enterprise Admins can delete child objects and entire trees in Exchange Server. If a user needs full access to the enterprise and to Exchange Server, make the user a member of the Enterprise Admins group. By default, this group is a member of the Administrators group and its only member is the local user, Administrator.
Exchange Domain Servers
The Exchange Domain Servers group also has a special purpose. Members of this group can manage mail interchange and queues. By default, all computers running Exchange 2000 Server are members of this group, and you shouldn't change this setup. This domain global group is in turn a member of the domain local group Exchange Enterprise Servers.
Exchange Enterprise Servers
Exchange Enterprise Servers is a domain local group that you can use to grant special permissions to all Exchange servers throughout the domain forest. By default, the group has Exchange Domain Servers as its only member.
Everyone
The final group that has Exchange permissions is Everyone. Everyone is a special group whose members are implicitly assigned. Its members include all interactive, network, dial-up, and authenticated users. By default, members of this group can create top-level public folders, sub-folders within public folders, and named properties in the information store.
Understanding Exchange Server Permissions
Active Directory objects are assigned a set of permissions. These permissions are standard Microsoft Windows 2000 permissions, object-specific permissions, and extended permissions.
Table 6-1 summarizes the most common object permissions. Keep in mind that some permissions are generalized. For example, with Read Property and Write Property, Property is a placeholder for the actual property name.
Table 6-1. Common Permissions for Active Directory Objects
Permission |
Description |
---|---|
Full Control |
Permits reading, writing, modifying, and deleting |
List Contents |
Permits viewing object contents |
Read Property |
Permits reading a particular property of an object |
Write Property |
Permits writing to a particular property of an object |
Read All Properties |
Permits reading all object properties |
Write All Properties |
Permits writing all object properties |
Delete |
Permits deletion of object |
Delete Subtree |
Permits deletion of object and child objects |
Modify Owner |
Permits modifying the ownership of the object |
Validate Write To … |
Permits a particular type of validated write |
Extended Write To … |
Permits a particular type of extended write |
All Validated Writes |
Permits all types of validated writes |
All Extended Writes |
Permits all extended writes |
Create Object |
Permits creation of a specific object type |
Delete Object |
Permits deletion of a specific object type |
Create All Child Objects |
Permits creation of all child objects |
Delete All Child Objects |
Permits deletion of all child objects |
Change Password |
Permits changing passwords for the object |
Receive As |
Permits receive as the object |
Reset Password |
Permits resetting passwords for the object |
Send As |
Permits send as the object |
Add/Remove Self As Member |
Permits adding and removing object as a member |
Table 6-2 summarizes Exchange-specific permissions. You use these extended permissions to control Exchange administration and usage. If you want to learn more about other types of permissions, I recommend that you read Chapter 13 of Microsoft Windows 2000 Administrator's Pocket Consultant (Microsoft Press, 2000).
Table 6-2. Extended Permissions for Exchange Server
Permission |
Description |
---|---|
Add PF To Admin Group |
Permits adding a public folder to an administrative group. |
Administer Information Store |
Permits administration of the Information Store. |
Create Named Properties In The Information Store |
Permits creation of named properties in the Information Store. |
Create Public Folder |
Permits creation of a public folder under a top-level folder. |
Create Top-Level Public Folder |
Permits creation of a top-level public folder. |
Full Store Access |
Permits full access to the Information Store. |
Mail-Enable Public Folder |
Permits mail-enabling a public folder. |
Modify Public Folder ACL |
Permits modification of the access control list on a public folder. |
Modify Public Folder Admin ACL |
Permits modification of the admin access control list on a public folder. |
Modify Public Folder Deleted Item Retention |
Permits modification of the deleted item retention period. |
Modify Public Folder Expiry |
Permits modification of a public folder's expiration date. |
Modify Public Folder Quotas |
Permits modification of a quota on a public folder. |
Modify Public Folder Replica List |
Permits modification of the replication list for a public folder. |
Open Mail Send Queue |
Permits opening the Mail Send queue and message queuing. The Exchange Servers group must have this permission. |
Remove PF From Admin Group |
Permits removal of a public folder. |
View Information Store Status |
Permits viewing the status of the Information Store. |
Viewing Exchange Server Permissions
You can view security permissions for Exchange Server by completing the following steps:
Start System Manager, and then right-click the root or leaf level node you want to work with. Permissions are inherited from the Organization node by default. You can change this behavior.
From the pop-up menu, select Properties, and then in the Properties dialog box, click the Security tab, as shown in Figure 6-1.
Figure 6-1: . Use the Security tab to configure object permissions.
Note: If the Properties option isn't available, you're trying to work with a nonroot or nonleaf node, such as the Recipients, Administrative Groups, or Servers nodes. Expand the node by clicking the plus sign (+), and then select a lower-level node. Note also that for some nodes you view and assign permissions through the Exchange Administration Delegation Wizard. For details see the section of this chapter entitled "Delegating Exchange Server Permissions."
In the Name list box, select the object whose permissions you want to view. The permissions for the object are then displayed in the Permissions list box. If the permissions are shaded, it means the permissions are inherited from a parent object.
Setting Exchange Server Permissions
You can control the administration and usage of Exchange Server in several ways:
Globally for an entire organization Set the permissions at the Organization level. Through inheritance, these permissions are then applied to all objects in the Exchange organization.
For each server Set the permissions individually for each server in the Exchange organization. Through inheritance, these permissions are then applied to all child nodes on the applicable server.
For each storage group Set the permissions at the storage group level. Through inheritance, these permissions are then applied to all mailbox and public folder stores within the storage group.
For an individual node Set the permissions on an individual node and disallow auditing inheritance for child nodes.
To set permissions for Exchange Server, follow these steps:
Start System Manager, and then right-click the root or leaf level node you want to work with.
From the pop-up menu, select Properties, and then click the Security tab in the Properties dialog box, as shown previously in Figure 6-1.
Users or groups that already have access to the Exchange node are listed in the Name list box. You can change permissions for these users and groups by selecting the user or group you want to change, and then using the Permissions list box to grant or deny access permissions.
Note: Inherited permissions are shown in gray. Override inherited permissions by selecting the opposite permission.
Figure 6-2: . Use the Select Users, Computers, Or Groups dialog box to select users, computers, or groups that should be granted or denied access.
Use the Select Users, Computers, Or Groups dialog box to select the users, computers, or groups for which you want to set access permissions. You can use the fields of this dialog box as follows:
Look In To access account names from other domains, click the Look In list box. You should now see a list that shows the current domain, trusted domains, and other resources that you can access. Select Entire Directory to view all the account names in the folder.
Name The Name column shows the available accounts of the currently selected domain or resource.
Add Add selected names to the selection list.
Check Names Validate the user and group names entered into the selection list. This is useful if you type names in manually and want to make sure they're available.
In the Name list box, select the user, computer, or group you want to configure, and then use the fields in the Permissions area to allow or deny permissions. Repeat for other users, computers, or groups.
Click OK when you're finished.
Overriding and Restoring Object Inheritance
To override or stop inheriting permissions from a parent object, follow these steps:
Start System Manager, and then right-click the root or leaf level node you want to work with.
From the pop-up menu, select Properties, and then click the Security tab in the Properties dialog box.
Select or clear Allow Inheritable Permissions From Parent To Propagate To This Object.
Delegating Exchange Server Permissions
At times, you may need to delegate control of Exchange Server without making a user a member of the Domain Admins or Enterprise Admins groups. For example, you may want a technical manager to be able to manage Exchange mailboxes, or you may want your boss to be able to view Exchange settings but not be able to modify settings. The tool you use to delegate control of Exchange Server is the Exchange Administration Delegation Wizard.
Working With the Exchange Administration Delegation Wizard
You use the Exchange Administration Delegation Wizard to delegate administrative permissions at the organization level or the administrative group level. The level of permissions you set is determined by where you start the wizard. If you start the wizard from the organization level, the groups or users that you specify will have administrative permissions throughout the organization. If you start the wizard from the administrative group level, the groups or users that you specify will have administrative permissions for that specific administrative group.
To simplify administration, you should always assign permissions to a group, rather than assigning permissions to individual users. In this way, you grant permissions to additional users simply by making them members of the appropriate group, and you revoke permissions by removing the users from the group.
The Exchange Administration Delegation Wizard lets you assign any of the following administrative permissions to users and groups:
Exchange Full Administrator Allows users or groups to fully administer Exchange system information and modify permissions. Grant this role to users who need to configure and control access to Exchange Server.
Exchange Administrator Allows users or groups to fully administer Exchange system information but not to control access or modify persmissions. Grant this role to users or groups who are responsible for the day-to-day administration of Exchange server.
Exchange View Only Administrator Allows users or groups to view Exchange configuration information. Grant this role to users or groups that need to view Exchange configuration settings but are not authorized to make changes.
Note: The Exchange Administration Delegation Wizard controls access to Exchange 2000 Server. It doesn't give a user administrative access to the local machine. If Exchange administrators need to manage services or access the registry or file system on the server itself, you will need to make them local machine administrators for each Exchange Server they need to manage.
When setting permissions at the organization level, users and groups you delegate control to have the permissions shown in Table 6-3.
Table 6-3. Delegating Permissions at the Organization Level
Permission Type |
Object |
Permissions Granted |
Do Permissions Apply to Subcontainers? |
---|---|---|---|
Full Administrator |
Organization |
All except Send As and Receive As permissions |
Yes |
Full Administrator |
Exchange Container |
Full Control |
Yes |
Administrator |
Organization |
All except Send As and Receive As permissions |
Yes |
Administrator |
Exchange Container |
All except Change permissions |
Yes |
View Only Administrator |
Organization |
View Information Store Status |
Yes |
View Only Administrator |
Exchange Container |
Read, List Object, List Contents |
Yes |
When setting permissions at the administrative group level, users and groups you delegate control to have the permissions shown in Table 6-4.
Table 6-4. Delegating Permissions at the Administrative Group Level
PermissionType |
Object |
Permissions Granted |
Do Permissions Apply to Subcontainers? |
---|---|---|---|
Full Administrator |
Organization |
Read, List Object, List Contents |
Yes |
Full Administrator |
Administrative group |
All except Send As and Receive As |
Yes |
Full Administrator |
Exchange container |
Read, List Object, List Contents |
No |
Full Administrator |
Connectors |
All except Change permissions |
Yes |
Full Administrator |
Offline Address Lists |
Write |
Yes |
Administrator |
Organization |
Read, List Object, List Contents |
Yes |
Administrator |
Administrative group |
All permissions except Change, Send As, and Receive As |
Yes |
Administrator |
Exchange container |
Read, List Object, List Contents |
No |
Administrator |
Offline Address Lists |
Write |
Yes |
View Only Administrator |
Organization |
Read, List Object, List Contents |
No |
View Only Administrator |
Administrative group |
Read, List Object, List Contents, View Information Store Status |
Yes |
View Only Administrator |
Exchange containers |
Read, List Object, List Content |
Yes (Limited) |
Using the Exchange Administration Delegation Wizard
You use the Exchange Administration Delegation Wizard to set permissions by completing the following steps:
After starting System Manager, right-click the organization or administrative group for which you want to delegate administrative permissions, and then click Delegate Control. This starts the Exchange Administration Delegation Wizard.
Click Next.
In Users Or Groups, click Add to grant a new user or group administrative permissions. The Delegate Control dialog box is displayed.
Click Browse. Select the group or user to which you want to grant administrative permissions, and then click OK.
In the Delegate Control dialog box, use the Role selection menu to choose the administrative role. The options are
Exchange Full Administrator
Exchange Administrator
Exchange View Only Administrator
Click OK. Repeat Steps 3-5 to delegate control to other users or groups.
Click Next, and then click Finish to complete the procedure.
from Microsoft Exchange 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.