Changes in the Administration and Permissions Model


Topic Last Modified: 2007-01-26

By Kweku Ako-Adjei

So, you're ready to upgrade your Microsoft Exchange Server organization from Exchange Server 2003 to Exchange Server 2007? Great. Before you get started, however, make sure that you have a solid planning strategy in place, which includes a clear understanding of the changes made to the administration and permissions model. With Exchange 2007, you now have flexibility in how you assign permissions to administrators. Several changes have also been made to improve the manual permissions configuration you must do to split Exchange permissions from other administrative permissions.

To help you with these changes, this article guides you through the recommended steps, including links to the appropriate documents that provide detailed information about the new administration and permissions model.

Because working with Exchange-related Active Directory directory service permissions can be a complex task, it is important that you first understand the changes that have been implemented in Exchange 2007. Therefore, to help you develop a strong planning strategy, check out the following topics:

When Active Directory was introduced in Exchange 2000 Server, we found that many organizations used separate administrators for Exchange and Active Directory. This, of course, meant that there was a need to delegate administrative functions. In these scenarios, operations were decentralized so that separate teams managed aspects of Exchange and Microsoft Windows (Active Directory).

Therefore, in response to feedback from Exchange 2000 customers, we made several changes to the process of managing permissions in Exchange 2003. Specifically, Exchange 2003 provided predefined security roles. These roles were a collection of standardized permissions that could be applied at either the organization level or the administrative group level. But we found that this model presented some of the following limitations:

  • A lack of specificity. The Exchange Administrator group was too large, and some customers wanted to manage their security and permissions model at the individual server level.

  • A perception that the Exchange 2003 security roles only differed in subtle ways.

  • No clear separation between administration of users and groups by the Windows (Active Directory) administrators and Exchange recipient administrators. For example, to perform Exchange recipient-related tasks, you had to grant Exchange administrators high-level permissions (Account Operator permissions on Windows domains).

To address these limitations, we made some changes that will improve the management of your Exchange administrator roles. Exchange 2007 includes the following new or improved features to the Exchange administration and permissions model:

  • New administrator roles were created similar to the built-in Windows Server security groups. For more information about these administrator roles, see "Administrator Roles in Exchange 2007" in Permission Considerations.

  • You can use the Exchange Management Console (formerly called Exchange System Manager) and the Exchange Management Shell to view, add, and remove members from any administrator role.

  • No access control list (ACL) setting is required when modifying any administrator role membership. These administrator roles will be statically added to the appropriate object ACLs during setup.

For detailed information about the differences between the Exchange 2007 and Exchange 2003 permissions models, the new administrator roles, and how to configure your Exchange 2007 permissions, see the following topics:

To grant permissions in Exchange 2003, you used the Delegation Wizard in Exchange System Manager. To provide you with more options, Exchange 2007 includes two interfaces in which you can configure and administer your permissions model:

  • Exchange Management Console

  • Exchange Management Shell

There are a couple of ways you can use the Exchange Management Console to configure and administer permissions. To grant permissions, you use the Add Exchange Administrator wizard. Also, you can use the console itself to view and modify administrator roles and membership, and to view and modify permissions for users and groups.

For detailed information about these tasks, see the following topics:

You can also now use the Exchange Management Shell to configure and administer permissions. New in Exchange 2007, the Exchange Management Shell is a powerful management interface, built on Microsoft Windows PowerShell technology. You can use the Exchange Management Shell to perform every task available in the Exchange Management Console, as well as other tasks.

For detailed information about the Exchange Management Shell and how to use it to configure and administer permissions, see the following topics:

To learn more about Exchange 2007 permissions delegation and property sets, check out the following Exchange Team blogs:

The content of each blog and its URL are subject to change without notice.

b7a3eb57-a05a-48d2-9810-708a3388a05b Kweku Ako-Adjei - Technical Writer, Microsoft Exchange Server