Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Setting Administrator Permissions for the Edge Transport Server Role


Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007

Topic Last Modified: 2007-08-06

This topic provides an overview of the permissions that a user must have to administer a computer that has the Microsoft Exchange Server 2007 Edge Transport server role installed.

The Edge Transport server role is deployed in an organization's perimeter network, which is also known as the boundary network or screened subnet. The Edge Transport server can be deployed as a stand-alone server or as a member of a perimeter Active Directory domain.

When the Exchange 2007 Edge Transport server role is installed, no Exchange-specific groups are created. The Administrators local group is granted full control of the Edge Transport server. This includes the instance of Active Directory Application Mode (ADAM) on the Edge Transport server. When you log on by using an account that has Administrators local group membership, you can modify the server configuration, the status of queues and messages in transit, the security configuration of the server, and ADAM data.

Exchange 2007 Service Pack 1 (SP1) supports deployment of server roles on a Windows Server 2008 computer. If the Edge Transport server is installed on Windows Server 2008, ADAM is replaced by Active Directory Lightweight Directory Services (AD LDS). Windows Server 2008 includes several features that have been enhanced or renamed. For information about the feature changes between Windows Server 2003 and Windows Server 2008, see Terminology Changes.

You perform remote administration of Edge Transport servers by using Microsoft Windows Terminal Services. The Administrators local group is automatically granted remote logon permissions. Other user accounts must have membership in the Remote Desktop Users local group to log on to the server by using a remote desktop connection. We recommend that you create a specific user account for each user who administers an Edge Transport server. You must add these user accounts to the Administrators local group to make sure that the correct access level is granted.

Table 1 lists the common administrative tasks that are performed on the Edge Transport server and the group memberships that are required to complete each task successfully. You can use this information to delegate server administration.

Table 1   Administrative tasks and group membership requirements

Task Required group membership

Backup and restore

Backup Operators

Enable and disable agents


Configure connectors


Configure anti-spam policies


Configure IP Block lists and IP Allow lists


View queues and messages


Manage queues and messages


Create an Edge Subscription file


For more information, see Configuring Permissions.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft