Implementing Directory Security and Microsoft Exchange 2000 Server Policies

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Updated : May 31, 2002

from Chapter 6, Microsoft Exchange 2000 Administrator's Pocket Consultant by William R. Stanek.

In this chapter, you'll learn how to implement directory security and Microsoft Exchange 2000 Server policies. In Active Directory directory service, you manage security by using permissions. Users, contacts, and groups all have permissions assigned to them. These permissions control the resources that users, contacts, and groups have access to. They also control the actions that users, contacts, and groups can perform.

Exchange policies are useful administration tools as well. With policies, you can specify management rules for Exchange systems and Exchange recipients. System policies help you manage servers and information stores. Recipient policies help you manage e-mail addressing.

Users, contacts, and groups are represented in Active Directory as objects. These objects have many attributes that determine how the objects are used. The most important attributes are the permissions assigned to the object. Permissions grant or deny access to objects and resources. For example, you can grant a user the right to create public folders but deny that same user the right to view the status of the information store.

Permissions assigned to an object can be applied directly to the object, or they can be inherited from another object. Generally, objects inherit permissions from parent objects. A parent object is an object that is above an object in the object hierarchy. In Exchange 2000 Server, permissions are inherited through the organizational hierarchy. The root of the hierarchy is the Organization node. All other nodes in the tree inherit the Exchange permissions of this node. For example, the permissions on an administrative group folder are inherited from the Organization node.

You can override inheritance. One way to do this is to assign permissions directly to the object. Another way is to specify that the object shouldn't inherit permissions.

Assigning Exchange Server Permissions to Users and Groups

Several security groups have access to and can work with Exchange Server. These groups are Domain Admins, Enterprise Admins, Exchange Domain Servers, Exchange Enterprise Servers, and Everyone.

Domain Admins

Domain Admins are the designated administrators of a domain. Members of this global group can manage user accounts, contacts, groups, mailboxes, and computers. They can also manage messaging features, delivery restrictions, and storage limits. Nevertheless, they are subject to some restrictions in Exchange Server, and they don't have full control over Exchange Server. If a user needs to be an administrator of a local domain and manage Exchange Server, all you need to do is make the user a member of the Domain Admins group. By default, this group is a member of the Administrators group on the Exchange server and its only member is the local user, Administrator.

Enterprise Admins

Enterprise Admins are the designated administrators of the enterprise. Members of this global group can manage objects in any domain in the domain tree or forest. They have full control over Exchange Server and aren't subject to any restrictions. This means that unlike Domain Admins, Enterprise Admins can delete child objects and entire trees in Exchange Server. If a user needs full access to the enterprise and to Exchange Server, make the user a member of the Enterprise Admins group. By default, this group is a member of the Administrators group and its only member is the local user, Administrator.

Exchange Domain Servers

The Exchange Domain Servers group also has a special purpose. Members of this group can manage mail interchange and queues. By default, all computers running Exchange 2000 Server are members of this group, and you shouldn't change this setup. This domain global group is in turn a member of the domain local group Exchange Enterprise Servers.

Exchange Enterprise Servers

Exchange Enterprise Servers is a domain local group that you can use to grant special permissions to all Exchange servers throughout the domain forest. By default, the group has Exchange Domain Servers as its only member.

Everyone

The final group that has Exchange permissions is Everyone. Everyone is a special group whose members are implicitly assigned. Its members include all interactive, network, dial-up, and authenticated users. By default, members of this group can create top-level public folders, sub-folders within public folders, and named properties in the information store.

Understanding Exchange Server Permissions

Active Directory objects are assigned a set of permissions. These permissions are standard Microsoft Windows 2000 permissions, object-specific permissions, and extended permissions.

Table 6-1 summarizes the most common object permissions. Keep in mind that some permissions are generalized. For example, with Read Property and Write Property, Property is a placeholder for the actual property name.

Table 6-1. Common Permissions for Active Directory Objects

Permission	Description
Full Control	Permits reading, writing, modifying, and deleting
List Contents	Permits viewing object contents
Read Property	Permits reading a particular property of an object
Write Property	Permits writing to a particular property of an object
Read All Properties	Permits reading all object properties
Write All Properties	Permits writing all object properties
Delete	Permits deletion of object
Delete Subtree	Permits deletion of object and child objects
Modify Owner	Permits modifying the ownership of the object
Validate Write To …	Permits a particular type of validated write
Extended Write To …	Permits a particular type of extended write
All Validated Writes	Permits all types of validated writes
All Extended Writes	Permits all extended writes
Create Object	Permits creation of a specific object type
Delete Object	Permits deletion of a specific object type
Create All Child Objects	Permits creation of all child objects
Delete All Child Objects	Permits deletion of all child objects
Change Password	Permits changing passwords for the object
Receive As	Permits receive as the object
Reset Password	Permits resetting passwords for the object
Send As	Permits send as the object
Add/Remove Self As Member	Permits adding and removing object as a member

Table 6-2 summarizes Exchange-specific permissions. You use these extended permissions to control Exchange administration and usage. If you want to learn more about other types of permissions, I recommend that you read Chapter 13 of Microsoft Windows 2000 Administrator's Pocket Consultant (Microsoft Press, 2000).

Table 6-2. Extended Permissions for Exchange Server

Permission	Description
Add PF To Admin Group	Permits adding a public folder to an administrative group.
Administer Information Store	Permits administration of the Information Store.
Create Named Properties In The Information Store	Permits creation of named properties in the Information Store.
Create Public Folder	Permits creation of a public folder under a top-level folder.
Create Top-Level Public Folder	Permits creation of a top-level public folder.
Full Store Access	Permits full access to the Information Store.
Mail-Enable Public Folder	Permits mail-enabling a public folder.
Modify Public Folder ACL	Permits modification of the access control list on a public folder.
Modify Public Folder Admin ACL	Permits modification of the admin access control list on a public folder.
Modify Public Folder Deleted Item Retention	Permits modification of the deleted item retention period.
Modify Public Folder Expiry	Permits modification of a public folder's expiration date.
Modify Public Folder Quotas	Permits modification of a quota on a public folder.
Modify Public Folder Replica List	Permits modification of the replication list for a public folder.
Open Mail Send Queue	Permits opening the Mail Send queue and message queuing. The Exchange Servers group must have this permission.
Remove PF From Admin Group	Permits removal of a public folder.
View Information Store Status	Permits viewing the status of the Information Store.

Viewing Exchange Server Permissions

You can view security permissions for Exchange Server by completing the following steps:

Start System Manager, and then right-click the root or leaf level node you want to work with. Permissions are inherited from the Organization node by default. You can change this behavior.
From the pop-up menu, select Properties, and then in the Properties dialog box, click the Security tab, as shown in Figure 6-1.

Figure 6-1: . Use the Security tab to configure object permissions.

Note: If the Properties option isn't available, you're trying to work with a nonroot or nonleaf node, such as the Recipients, Administrative Groups, or Servers nodes. Expand the node by clicking the plus sign (+), and then select a lower-level node. Note also that for some nodes you view and assign permissions through the Exchange Administration Delegation Wizard. For details see the section of this chapter entitled "Delegating Exchange Server Permissions."
In the Name list box, select the object whose permissions you want to view. The permissions for the object are then displayed in the Permissions list box. If the permissions are shaded, it means the permissions are inherited from a parent object.

Setting Exchange Server Permissions

You can control the administration and usage of Exchange Server in several ways:

Globally for an entire organization Set the permissions at the Organization level. Through inheritance, these permissions are then applied to all objects in the Exchange organization.
For each server Set the permissions individually for each server in the Exchange organization. Through inheritance, these permissions are then applied to all child nodes on the applicable server.
For each storage group Set the permissions at the storage group level. Through inheritance, these permissions are then applied to all mailbox and public folder stores within the storage group.
For an individual node Set the permissions on an individual node and disallow auditing inheritance for child nodes.

To set permissions for Exchange Server, follow these steps:

Start System Manager, and then right-click the root or leaf level node you want to work with.
From the pop-up menu, select Properties, and then click the Security tab in the Properties dialog box, as shown previously in Figure 6-1.
Users or groups that already have access to the Exchange node are listed in the Name list box. You can change permissions for these users and groups by selecting the user or group you want to change, and then using the Permissions list box to grant or deny access permissions.

Note: Inherited permissions are shown in gray. Override inherited permissions by selecting the opposite permission.

Figure 6-2: . Use the Select Users, Computers, Or Groups dialog box to select users, computers, or groups that should be granted or denied access.

Use the Select Users, Computers, Or Groups dialog box to select the users, computers, or groups for which you want to set access permissions. You can use the fields of this dialog box as follows:
- Look In To access account names from other domains, click the Look In list box. You should now see a list that shows the current domain, trusted domains, and other resources that you can access. Select Entire Directory to view all the account names in the folder.
- Name The Name column shows the available accounts of the currently selected domain or resource.
- Add Add selected names to the selection list.
- Check Names Validate the user and group names entered into the selection list. This is useful if you type names in manually and want to make sure they're available.
In the Name list box, select the user, computer, or group you want to configure, and then use the fields in the Permissions area to allow or deny permissions. Repeat for other users, computers, or groups.
Click OK when you're finished.

Overriding and Restoring Object Inheritance

To override or stop inheriting permissions from a parent object, follow these steps:

Start System Manager, and then right-click the root or leaf level node you want to work with.
From the pop-up menu, select Properties, and then click the Security tab in the Properties dialog box.
Select or clear Allow Inheritable Permissions From Parent To Propagate To This Object.

Delegating Exchange Server Permissions

At times, you may need to delegate control of Exchange Server without making a user a member of the Domain Admins or Enterprise Admins groups. For example, you may want a technical manager to be able to manage Exchange mailboxes, or you may want your boss to be able to view Exchange settings but not be able to modify settings. The tool you use to delegate control of Exchange Server is the Exchange Administration Delegation Wizard.

Working With the Exchange Administration Delegation Wizard

You use the Exchange Administration Delegation Wizard to delegate administrative permissions at the organization level or the administrative group level. The level of permissions you set is determined by where you start the wizard. If you start the wizard from the organization level, the groups or users that you specify will have administrative permissions throughout the organization. If you start the wizard from the administrative group level, the groups or users that you specify will have administrative permissions for that specific administrative group.

To simplify administration, you should always assign permissions to a group, rather than assigning permissions to individual users. In this way, you grant permissions to additional users simply by making them members of the appropriate group, and you revoke permissions by removing the users from the group.

The Exchange Administration Delegation Wizard lets you assign any of the following administrative permissions to users and groups:

Exchange Full Administrator Allows users or groups to fully administer Exchange system information and modify permissions. Grant this role to users who need to configure and control access to Exchange Server.
Exchange Administrator Allows users or groups to fully administer Exchange system information but not to control access or modify persmissions. Grant this role to users or groups who are responsible for the day-to-day administration of Exchange server.
Exchange View Only Administrator Allows users or groups to view Exchange configuration information. Grant this role to users or groups that need to view Exchange configuration settings but are not authorized to make changes.

Note: The Exchange Administration Delegation Wizard controls access to Exchange 2000 Server. It doesn't give a user administrative access to the local machine. If Exchange administrators need to manage services or access the registry or file system on the server itself, you will need to make them local machine administrators for each Exchange Server they need to manage.

When setting permissions at the organization level, users and groups you delegate control to have the permissions shown in Table 6-3.

Table 6-3. Delegating Permissions at the Organization Level

Permission Type	Object	Permissions Granted	Do Permissions Apply to Subcontainers?
Full Administrator	Organization	All except Send As and Receive As permissions	Yes
Full Administrator	Exchange Container	Full Control	Yes
Administrator	Organization	All except Send As and Receive As permissions	Yes
Administrator	Exchange Container	All except Change permissions	Yes
View Only Administrator	Organization	View Information Store Status	Yes
View Only Administrator	Exchange Container	Read, List Object, List Contents	Yes

When setting permissions at the administrative group level, users and groups you delegate control to have the permissions shown in Table 6-4.

Table 6-4. Delegating Permissions at the Administrative Group Level

PermissionType	Object	Permissions Granted	Do Permissions Apply to Subcontainers?
Full Administrator	Organization	Read, List Object, List Contents	Yes
Full Administrator	Administrative group	All except Send As and Receive As	Yes
Full Administrator	Exchange container	Read, List Object, List Contents	No
Full Administrator	Connectors	All except Change permissions	Yes
Full Administrator	Offline Address Lists	Write	Yes
Administrator	Organization	Read, List Object, List Contents	Yes
Administrator	Administrative group	All permissions except Change, Send As, and Receive As	Yes
Administrator	Exchange container	Read, List Object, List Contents	No
Administrator	Offline Address Lists	Write	Yes
View Only Administrator	Organization	Read, List Object, List Contents	No
View Only Administrator	Administrative group	Read, List Object, List Contents, View Information Store Status	Yes
View Only Administrator	Exchange containers	Read, List Object, List Content	Yes (Limited)

Using the Exchange Administration Delegation Wizard

You use the Exchange Administration Delegation Wizard to set permissions by completing the following steps:

After starting System Manager, right-click the organization or administrative group for which you want to delegate administrative permissions, and then click Delegate Control. This starts the Exchange Administration Delegation Wizard.
Click Next.
In Users Or Groups, click Add to grant a new user or group administrative permissions. The Delegate Control dialog box is displayed.
Click Browse. Select the group or user to which you want to grant administrative permissions, and then click OK.

In the Delegate Control dialog box, use the Role selection menu to choose the administrative role. The options are
- Exchange Full Administrator
- Exchange Administrator
- Exchange View Only Administrator
Click OK. Repeat Steps 3-5 to delegate control to other users or groups.
Click Next, and then click Finish to complete the procedure.

Click to order