Administrative Roles and Permissions

  • Article

 

The flexibility of assigning roles and permissions to administrators in Windows Server 2003 and Exchange means a full range of possibilities for managing recipients, servers, and policies. Generally, it is recommended that you consider how the following capabilities of Active Directory and Exchange 2003 affect the way you organize your administrative roles:

  • A single administrator can perform tasks for both Windows Server 2003 and Exchange.

  • You can organize and administer users based on security considerations, permissions, location, domains, forest, or other requirements.

  • You can specify user and group access by object class; for example, you can grant administrators permission to view the status of the mailbox store but not the size of a user's mailbox.

Recipient Management and Server Management

With the introduction of Active Directory, you can separate the administration of servers from the administration of recipients. Recipients are defined as objects in Active Directory and include users, groups, and contacts. You create mailboxes, new users, distribution groups, and perform other related tasks in Active Directory Users and Computers because these objects are contained in and managed by Active Directory. However, you configure servers, connectors, public folders, address lists, protocols, and policies in Exchange System Manager.

Identify who performs administrative tasks, such as user account management and daily operation of Exchange. Because Exchange and Windows use Active Directory, some of these tasks are an extension of Windows Server administration. If one person manages all Windows users, consider having this person also manage Exchange recipients, because these tasks are closely related. If different people perform administrative tasks for different groups of users or servers, you might consider using multiple administrative groups to make it easier to assign permissions to a set of Exchange objects for special circumstances.

Administration and Routing

Identify who manages administration and routing in your Exchange system. When you first install Exchange, it runs in mixed mode so that servers running earlier versions of Exchange can coexist within the Exchange organization. Exchange organizations that no longer coexist with earlier versions of Exchange can switch to native mode. The administrative model for organizations in native mode separates routing and administration: you can organize servers in administrative groups to manage permissions and apply system policies, and you can assign servers to routing groups that span administrative groups to most efficiently manage message traffic. For more information about administrative groups and routing groups, see the Exchange Server 2003 Transport and Routing Guide (https://go.microsoft.com/fwlink/?LinkId=47579).

Data Management

Identify who manages mailbox stores and public folder stores. Depending on how you organize your system, your public folder hierarchy may be split by regions or divisions within your organization. You can use permissions to define who administers the public folder hierarchy in your organization. Backup and restore accountability can rest with Exchange administrators or with another group. For more information about managing information and backing up resources, see the Exchange Server 2003 High Availability Guide (https://go.microsoft.com/fwlink/?LinkId=47571).

Interoperability with Exchange 5.5

Mailbox management includes creating, modifying, and deleting mailboxes, e-mail addresses, and related properties. In Exchange 2000 and Exchange 2003, mailbox management is integrated with Active Directory recipient management.