Planning a Split Permissions Model

The administrative model prescribed by the default configuration of Microsoft® Exchange and Active Directory® directory service, especially with regard to user administration, may not fit with the security and administrative roles defined by your organization. For some organizations, the helpdesk-level administrators that create user accounts are not the same administrators that administer mailboxes. However, the default configuration of Exchange and Active Directory requires that mailbox administrators belong to the "Account Operators" security group, and that members of the "Account Operators" group have read-read access to Exchange objects.

This topic explains how you can configure permissions in Active Directory to correspond to your administrative model. This granular level of permissioning is referred to as a split permissions model. "Implementing a Split Permissions Model" describes the tools and processes you need to understand to implement a split permissions model in your organization.

"Split Permissions Model Reference" catalogues all of the Exchange attributes as they are organized in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Use this topic to help you identify the attributes and the appropriate permissions you need to set on those attributes as you plan a split permissions model for your organization.