Setting Administrator Permissions for the Edge Transport Server Role

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic provides an overview of the permissions that a user must have to administer a computer that has the Microsoft Exchange Server 2007 Edge Transport server role installed.

Edge Transport Server Role Permissions

The Edge Transport server role is deployed in an organization's perimeter network, which is also known as the boundary network or screened subnet. The Edge Transport server can be deployed as a stand-alone server or as a member of a perimeter Active Directory domain.

When the Exchange 2007 Edge Transport server role is installed, no Exchange-specific groups are created. The Administrators local group is granted full control of the Edge Transport server. This includes the instance of Active Directory Application Mode (ADAM) on the Edge Transport server. When you log on by using an account that has Administrators local group membership, you can modify the server configuration, the status of queues and messages in transit, the security configuration of the server, and ADAM data.

Note

Exchange 2007 Service Pack 1 (SP1) supports deployment of server roles on a Windows Server 2008 computer. If the Edge Transport server is installed on Windows Server 2008, ADAM is replaced by Active Directory Lightweight Directory Services (AD LDS). Windows Server 2008 includes several features that have been enhanced or renamed. For information about the feature changes between Windows Server 2003 and Windows Server 2008, see Terminology Changes.

You perform remote administration of Edge Transport servers by using Microsoft Windows Terminal Services. The Administrators local group is automatically granted remote logon permissions. Other user accounts must have membership in the Remote Desktop Users local group to log on to the server by using a remote desktop connection. We recommend that you create a specific user account for each user who administers an Edge Transport server. You must add these user accounts to the Administrators local group to make sure that the correct access level is granted.

Permissions That Are Required to Administer the Edge Transport Server

Table 1 lists the common administrative tasks that are performed on the Edge Transport server and the group memberships that are required to complete each task successfully. You can use this information to delegate server administration.

Table 1   Administrative tasks and group membership requirements

Task Required group membership

Backup and restore

Backup Operators

Enable and disable agents

Administrators

Configure connectors

Administrators

Configure anti-spam policies

Administrators

Configure IP Block lists and IP Allow lists

Administrators

View queues and messages

Users

Manage queues and messages

Administrators

Create an Edge Subscription file

Administrators

For More Information

For more information, see Configuring Permissions.