Exchange administrators regularly handle patch management, database backups and similar tasks; however, answering
end-user requests can take up most day-to-day tasks. Users routinely flood help desk with requests to track messages, manage distribution lists and having their passwords reset.
In the past, when a user contacted help desk with such a request, help desk would forward the request directly to the Exchange admin. Before the release of Exchange 2010, admins couldn’t give help desk staff the ability to service basic requests without simultaneously giving them excessive permissions to the Exchange environment.
Exchange Server 2010 allows administrators to granularly delegate permissions and transfer certain tasks to either help desk or directly to end users. Although this can save an administrator time managing certain tasks, it’s important to carefully choose which permissions to delegate.
Delegating permissions to help desk in Exchange 2010
You can manage administrative roles from the Exchange Control Panel (ECP) (Figure 1). By default, there is a Help Desk role group created; however, this group only has two assigned roles: User Options and View Only Recipients.
The User Options role lets help desk view a user’s Outlook Web App (OWA) setup. The View Only Recipients role allows help desk staff to view how a user's mailbox is configured. In Exchange 2010, you can give help desk additional permissions without giving them too much power.
Every organization is different, so the help desk permissions that work well for one organization may not be appropriate for another. Ultimately, it's up to you to pick which roles are best suited for your staff. Here are a few top roles and their functions:
- Disaster Recovery -- Allows help desk to restore mailboxes and database availability groups;
- Distribution Groups -- Allows help desk to create and manage distribution groups;
- Mail Recipient Creation -- Help desk can create recipients mailboxes, mail users, mail contacts, etc.;
- Mail Recipients -- Enables help desk to manage existing recipients;
- Message Tracking -- Allows help desk to track email messages;
- Public Folders -- Gives help desk the ability to manage public folders. This role, however, does not allow admins to mail-enable public folders or change public folder replication settings.
- Transport Queues -- Allows help desk to view and manage message queues.
Delegating permissions to Exchange 2010 users
Granting certain permissions to end users enables them to use the ECP as a self-service portal for certain administrative tasks. Microsoft, by default, grants end users the following permissions:
- MyContactInformation -- Users can to modify their contact information;
- MyDistributionGroupMembership -- Allows users to view and manage distribution group membership;
- MyBaseOptions -- Lets users view and modify basic configuration settings for mailboxes;
- MyTextMessaging -- Allows users to create, view and modify text messaging settings;
- MyVoiceMail -- Users can view and modify their voicemail settings.
I don’t recommend granting users many rights beyond Microsoft’s default settings, except for the following five:
- MyDisplayName -- View and modify a display name;
- MyName -- View and modify a full name;
- MyDistributionGroups -- Create and manage distribution groups;
- MyRetentionPolicies -- View retention tags and modify retention tag settings;
- MyDiagnostics -- Perform basic mailbox diagnostics.
ABOUT THE AUTHOR:
Brien Posey is a seven-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.