Controlling Administrative Access to the Exchange Store
To manage the Exchange store successfully, you must understand how permissions affect the Exchange store components. Improperly configured permissions are a frequent cause of store problems.
Note
The information in this section also appears in the Exchange Server 2003 Administration Guide and is provided here for your convenience.
Use the information in the following table to identify the permissions that are involved in administering Exchange Server 2003. Use the information in the following figure to learn how the Exchange store objects inherit these permissions. This knowledge will help you recognize situations where you may require a different administrative role or different permissions.
The following table summarizes the permissions for the three Exchange Server 2003 administrative roles on the Exchange store objects.
Permissions for the Exchange Server 2003 administrative roles on mailbox stores, public folder stores, and public folder trees
| Role | Allowed | Denied |
|---|---|---|
Exchange Full Administrator |
Full control Additional permissions in Active Directory to allow you to work with deleted items and offline address lists |
Receive As Send As |
Exchange Administrator |
All except Change permissions Additional permissions in Active Directory to allow you to work with offline address lists |
Receive As Send As |
Exchange View Only Administrator |
Read List object List contents View Information Store status |
None |
The following figure summarizes how mailbox stores, public folder stores, and public folder trees inherit permissions.
Direction of inheritance of permissions for Exchange Full Administrators, Exchange Administrators, or Exchange View Only Administrators
.gif "eef25149-5833-46fc-a5de-286c41ae94d2")
As this figure shows, objects in the Exchange store inherit permissions from their administrative group. The following exceptions apply:
Delegating Exchange administrative roles on an administrative group gives administrators in those roles limited permissions on mailboxes—enough to create or delete mailboxes, and set options such as storage limits.
A public folder inherits some administrative permissions from the public folder tree where it resides. It does not inherit permissions from the public folder store.
Administrative rights on a public folder include many folder-specific permissions that are not available on the public folder tree. For example, although an Exchange Administrator cannot modify the permissions on a public folder tree, the administrator can modify permissions on a public folder in that tree.
Note
For an administrator to apply a system policy to a store, the administrator must have the appropriate permissions on both the System Policies container and on the target store. If you are using a distributed administration model with multiple administrative groups that have separate administrators, each administrator will only be able to interact with the stores in that administrator's own administrative group.
Important
Public folder trees and their public folders can only be administered in the administrative group where they were created, although you can replicate folders in the tree to multiple administrative groups. If you are using a distributed administration model with multiple administrative groups that have separate administrators, each administrator can work with the public folder stores in that administrator's own administrative group, but the administrator may not have access to the public folders that those stores support.
For additional information about store permissions, see the Exchange Server 2003 Administration Guide. It includes specific information about the following topics:
The types of permissions that control access to mailboxes and public folders, and when to use each type.
The minimum permissions required for mailbox stores and public folder stores.
For a more extensive explanation of store permissions, see Working with Store Permissions in Microsoft Exchange 2000 and 2003.