Lighten your workload: Delegate permissions in Exchange 2010

Make your life easier -- let help desk staff and users manage certain tasks on their own. Here's a rundown of some time-saving settings.

This Content Component encountered an error

day in the life Exchange administrators regularly handle patch management, database backups and similar tasks; however, answering end-user requests can take up most day-to-day tasks. Users routinely flood help desk with requests to track messages, manage distribution lists and having their passwords reset.

In the past, when a user contacted help desk with such a request, help desk would forward the request directly to the Exchange admin. Before the release of Exchange 2010, admins couldn’t give help desk staff the ability to service basic requests without simultaneously giving them excessive permissions to the Exchange environment.

Exchange Server 2010 allows administrators to granularly delegate permissions and transfer certain tasks to either help desk or directly to end users. Although this can save an administrator time managing certain tasks, it’s important to carefully choose which permissions to delegate.

Delegating permissions to help desk in Exchange 2010
You can manage administrative roles from the Exchange Control Panel (ECP) (Figure 1). By default, there is a Help Desk role group created; however, this group only has two assigned roles: User Options and View Only Recipients.

The User Options role lets help desk view a user’s Outlook Web App (OWA) setup. The View Only Recipients role allows help desk staff to view how a user's mailbox is configured. In Exchange 2010, you can give help desk additional permissions without giving them too much power.

Default roles within the Help Desk role group
Figure 1. By default, Exchange Control Panel’s Help Desk role has two groups -- User Options and View Only Recipients. 

Every organization is different, so the help desk permissions that work well for one organization may not be appropriate for another. Ultimately, it's up to you to pick which roles are best suited for your staff. Here are a few top roles and their functions:

  • Disaster Recovery -- Allows help desk to restore mailboxes and database availability groups;
  • Distribution Groups -- Allows help desk to create and manage distribution groups;
  • Mail Recipient Creation -- Help desk can create recipients mailboxes, mail users, mail contacts, etc.;
  • Mail Recipients -- Enables help desk to manage existing recipients;
  • Message Tracking -- Allows help desk to track email messages;
  • Public Folders -- Gives help desk the ability to manage public folders. This role, however, does not allow admins to mail-enable public folders or change public folder replication settings.
  • Transport Queues -- Allows help desk to view and manage message queues.

Delegating permissions to Exchange 2010 users
Granting certain permissions to end users enables them to use the ECP as a self-service portal for certain administrative tasks. Microsoft, by default, grants end users the following permissions:

  • MyContactInformation -- Users can to modify their contact information;
  • MyDistributionGroupMembership -- Allows users to view and manage distribution group membership;
  • MyBaseOptions -- Lets users view and modify basic configuration settings for mailboxes;
  • MyTextMessaging -- Allows users to create, view and modify text messaging settings;
  • MyVoiceMail -- Users can view and modify their voicemail settings.

I don’t recommend granting users many rights beyond Microsoft’s default settings, except for the following five:

  • MyDisplayName -- View and modify a display name;
  • MyName -- View and modify a full name;
  • MyDistributionGroups -- Create and manage distribution groups;
  • MyRetentionPolicies -- View retention tags and modify retention tag settings;
  • MyDiagnostics -- Perform basic mailbox diagnostics.

ABOUT THE AUTHOR:
Brien Posey is a seven-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.

This was first published in March 2011

Dig deeper on Microsoft Exchange Server 2010

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close