Service Configuration in Exchange System Manager
To support remote updating of configuration settings stored in the registry, Exchange System Manager requires the Remote Registry service to be running on all Exchange servers. For example, when you display the properties of a server object in Exchange System Manager and switch to the Diagnostics Logging tab to view or set the event logging level for the various categories of Exchange services, Exchange System Manager accesses registry settings for the corresponding services through the registry API. The categories that appear for a service on the Diagnostics Logging tab correspond to REG_DWORD parameters stored in the Diagnostics subkey of the Exchange service, under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services. The following figure illustrates this relationship for the DSAccess component.
Diagnostics logging settings in Registry Editor and in the Properties dialog box for a server object in Exchange System Manager
.gif "4670a882-8fb7-4016-bd36-fea3176dbcba")
The Remote Registry service is bypassed when you work with registry settings on the local computer. However, if you want to set the diagnostics logging level for an Exchange server remotely, Exchange System Manager must first use the RegConnectRegistry function of the registry API to establish a connection to the registry key that you want on the remote computer. For this function call, the Exchange administrator must have access permissions to the Remote Registry service. Otherwise, the Remote Registry connection cannot be established.
Warning
Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
The default configuration for Windows permits only local Administrators remote access to the registry. To make sure that Exchange administrators can remotely administer an Exchange server, System Attendant automatically adds those accounts that have an Exchange administrator role to the access control list (ACL) of the WinReg registry key and grants them Full Control permissions. This key can be found under the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers.
With the required permissions for the Remote Registry service, the Exchange administrator can establish a remote connection to the target registry. However, this does not mean that the Exchange administrator is also permitted to read or write settings of other registry keys. For example, an administrator might have Full Control permissions for the WinReg key, but no permissions for the MSExchangeMTA key in the services control database. In this case, Exchange System Manager could connect to the remote server's registry but might not be able to list the services or diagnostics categories on the Diagnostics Logging tab. To make sure that an Exchange administrator can read and write settings for Exchange services, System Attendant grants Exchange administrators Full Control permissions for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Services key. All subkeys under this registry key inherit the permissions settings. For more information about the registry settings for Exchange services, see Exchange Server 2003 Services Dependencies.
Note If Exchange System Manager cannot access the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Services key on an Exchange server, either because a connection to the Remote Registry service cannot be established or because you do not have sufficient access permissions, you receive an error message that states that the network path was not found, and you cannot manage the server.