Introduction to the Working with Active Directory Permissions in Exchange Server 2003


Topic Last Modified: 2005-05-11

Working with Active Directory® directory service permissions related to Microsoft® Exchange can be a complex task. This document has been written to aid Exchange architects in their understanding of how Exchange uses Active Directory in the context of permissions. Further, this document is a reference guide for administrators implementing a split permissions model.

In many organizations, there are separate administrators for Exchange and Active Directory, which means that there is a need to delegate administrative functions, so that distinct boundaries of administrative rights are maintained. This is known as a split permissions model. In this type of model, operations are decentralized in that two or more operation teams manage aspects of Exchange and Active Directory. For example, one operations team might manage domain and forest functions (creating DNS zones, establishing new domains, and creating user accounts), while another operations team manages Exchange-related functions (installing Exchange servers, mailbox management, and e-mail routing). In these situations, certain rights must be delegated to all parties so that they may complete their prescribed job functions without compromising the operational and security boundaries.

Organizations that implement a split permissions model typically want to restrict permissions granted to administrative personnel to the extent possible, thereby ensuring accountability and increasing security.

While the majority of this guide focuses on understanding and configuring a split permissions model, several other permission-related topics are also covered, including:

  • Explanation of the schema, domain, and configuration Active Directory naming contexts.

  • Frequently asked questions (FAQ) regarding the "how" and "why" of permissions around the Active Directory Connector, Exchange Server 2003 deployment, and Exchange Server 2003 management.

  • Specific rights granted by the Exchange Administration Delegation Wizard; specific rights granted during Exchange ForestPrep.

  • How to set permissions on Active Directory objects and classes at the domain and organizational unit levels.

This guide will answer the following questions:

  • How does Active Directory store and manage permissions for Exchange user and configuration data?

  • What permissions are set by the Exchange Administration Delegation Wizard, and what are "effective" rights or permissions?

  • What permissions are set during Exchange Setup?

  • What permissions do I need to perform various Exchange and Exchange service installations?

  • What permissions do I need to manage the various Exchange features?

  • How can I customize Exchange-related permissions in Active Directory to fit my organization's administrative model?

  • What tools are available to modify Exchange permissions in Active Directory, and how do I use them?

This guide has been written for Exchange architects and Active Directory deployment planners. The goal of this guide is to provide these administrators with the information that they need to understand the level of permissions required in installing and managing Exchange. In addition, architects and planners can use the split permissions information to provide a detailed permissions strategy that fits the administration model of their organization. By using the DSACLS snippets discussed in Planning a Split Permissions Model, you can then implement the permissions strategy.

Because all organizations are different and determining Active Directory permissions is so flexible, it is not possible to recommend a permissions strategy that works for all organizations. Therefore, this guide is not prescriptive; it does not provide suggestions around a permissions model. Use the information presented in this guide to implement the appropriate permissions model for your organization.