Benefiting from Exchange Administration Delegation Wizard

The Exchange Administration Delegation Wizard applies the standardized security roles at either the organization level or the administrative group level in Exchange System Manager.

Remember that the Exchange Administration Delegation Wizard applies well-tested permissions in a consistent manner against objects in the Exchange hierarchy. Because of this consistency in application of permissions, the wizard is the recommended and preferred method of managing permissions in your Exchange environment. Only apply customized permissions to individual objects when your security policy requires you to do so, and after complete testing. Manually creating customized permissions increases the chance of human error. It also increases the chance of creating inappropriate permissions because of a misunderstanding of how permissions work. Additionally, customized security settings will require increased maintenance because they must be documented, and the customized settings must be verified. Although there are instances where customized security is appropriate, you must weigh the risks and costs carefully.

You can start the Exchange Administration Delegation Wizard from either the organization level or the administrative group level. As noted in "Benefiting from Standardized Security Roles in Exchange," the permissions associated with the role will then be applied down the hierarchy from the object from which you started the wizard. For example, if you start the wizard at the organization level, the permissions associated with the role will be applied to all objects under the organization in the hierarchy, including all administrative groups. Alternatively, if you start the wizard at an administrative group, the permissions associated with the role will be applied only to the objects in the administrative group.

When you start the Exchange Administration Delegation Wizard, it prompts you to specify the users and groups to which you want to apply the security role. Generally, it is recommended that you place your users in security groups, and then use the wizard to apply roles against those groups. Applying permissions to individual users can quickly become difficult to manage.

After the wizard is completed, Exchange System Manager applies permissions to the group or the user selected in the hierarchy that the wizard was started from. The permissions are propagated down the hierarchy through inheritance. By using the wizard, you can set all the permissions on the Exchange objects in both Active Directory and the IIS metabase with several clicks.