Exchange Admin 101: Exchange 2003 and Exchange 2007 admin privileges

Organizations rarely implement a single level of administrative rights anymore because of the potential security problems that this can introduce. In larger organizations, for example, it's common to have several different administrators, each with permissions to manage a specific, contained aspect of the network. In smaller organizations, there often is a primary administrator who oversees a group of junior administrators. This tip explains the available administrative privileges in Exchange Server 2003 and Exchange Server 2007, and the differing levels of control that each admin role allows.

Exchange Server 2003 administrative roles

Exchange Server 2003 has different levels of administrative responsibility, and supports three types of administrative roles: Exchange Full Administrator, Exchange Administrator and Exchange View Only Administrator.

• Exchange Full Administrator: This role has total control over the Exchange organization, and can delegate administrative roles to other users.

• Exchange Administrator: This role is identical to the Exchange Full Administrator role, but the Exchange Administrator role lacks have the power to delegate administrative roles to other users.

• The Exchange View Only Administrator: In Exchange Server 2003, this role is intended for administrators to use during training. The Exchange View Only Administrator role gives administrators-in-training the ability to browse through the Exchange System Manager (ESM), but no power to make any changes.

While creating various administrative roles was a step in the right direction, those used in Exchange Server 2003 are somewhat broad in scope. For example, Exchange Server 2003 doesn't allow you to appoint a user as an Exchange Administrator over one server, and not another. If a user is an Exchange Administrator, he has administrative control over the entire Exchange organization.

Exchange Server 2007 administrative roles

Microsoft revised the administrative roles in Exchange Server 2007 to allow organizations to delegate specific management responsibilities to various administrators. There are four different administrative roles in Exchange 2007: Exchange Organization Administrators, Exchange Recipient Administrators, Exchange Server Administrators and Exchange View Only Administrators.

• Exchange Organization Administrator: This role is the most powerful of the Exchange Server 2007 administrative roles. An administrator who has been assigned to this role has full control over the entire Exchange 2007 organization. The Exchange Organization Administrator role is required for any administrator who must make high-level changes to the organization. For example, an administrator must be assigned the Exchange Organization Administrator role if he wants to create a connector, or make any other type of organization-level change.

  The powers of an Exchange Organization Administrator aren't limited to the organization level. These administrators can also manage recipients and Exchange servers, just as an Exchange Full Administrator would be able to in Exchange 2003.

• Exchange Recipient Administrator: This role was created for organizations with staff dedicated to the task of managing Exchange mailboxes, including unified messaging-enabled mailboxes. Administrators who have been assigned the Exchange Recipient Administrator role are granted read access to Active Directory's Domain Users container, assuming that DomainPrep has been run against the domain.

  Exchange Recipient Administrators are also granted write access to any Exchange-specific attributes of the user objects within a domain. This means that they can see all user accounts within a domain, but can only make changes to those accounts if the changes relate to the users' mailboxes.

• Exchange Server Administrator: The Exchange Server Administrator role was created for situations in which an administrator wants to grant another administrator control over a specific Exchange server, but not the entire Exchange organization.

Related resources: Delegation of administrative authority in Exchange 2003 How to configure admin rights to access an Exchange 2003 mailbox 5 tips in 5 minutes: Securing Exchange Server 2003 Microsoft Exchange Server 2007 Reference Center

When Exchange Server 2007 is installed onto a server, Setup creates a security group named Exchange Server Administrator <servername>. Administrators with the Exchange Server Administrator control are members of this group, and have full control over the server in question. The administrator will have full access to all of the server's configuration data, and can take on the role of a local Windows administrator (not a domain administrator). Exchange Server Administrators also appointed to the role of Exchange View-only Administrators.

While Exchange Server Administrators have total control over a specific server, they cannot manage recipients. This role is used most often to allow an administrator in a branch office to maintain an Exchange Server located within that office.

• Exchange View Only Administrator: The Exchange View Only Administrators role in Exchange Server 2007 works the same as it did in Exchange 2003. Exchange View Only Administrators have read access to the entire Exchange organization, but cannot modify existing settings.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft Exchange Server Permissions Exchange users receiving email addressed to legacy users Restrict access to Outlook Web Access via Exchange System Manager Why you should secure Exchange 2007 using administrative policies Editing Exchange Server public folder permissions Can't delete old Microsoft Outlook public folders Why can't I grant users permissions to an Exchange public folder? Exchange public folder calendar can't be opened in Microsoft Outlook Grant or deny permissions to access a user's Exchange 2007 mailbox Set Outlook calendar permissions for group to view private meetings Selectively set email permissions for Exchange groups Microsoft Exchange Server 2007 Is your Exchange 2007 hub transport server healthy? Top 5 Exchange ActiveSync tips Two useful tools for documenting an Exchange Server installation Controlling spam in Exchange 2007 at the edge transport server level Restore Exchange storage groups with DPM 2007 How a hosted Exchange service can help you Email issues after configuring hosted Exchange server on laptop Migrating to Exchange 2007 with correct permissions Virtualize Exchange Server 2007 -- without losing your job How DSAccess service improves Exchange Server 2007 reliability Microsoft Exchange Server 2007 Research Microsoft Exchange Server 2003 Remove Exchange 2003 objects from AD to install Exchange 2010 Leapfrogging from Exchange 2003 to Exchange 2010 Top 5 Exchange ActiveSync tips Exchange Mailbag: POP3 settings and Outlook issues Migrating to Exchange 2007 with correct permissions Problems receiving email from outside a Exchange Server 2003 domain Exchange admins: Is it time to rethink your email address policy? Exchange Server 2003 collects email from only specific POP3 domains Changing email address formats in Exchange Server 2003 Should you remove .STM files from Exchange Server 2003? Microsoft Exchange Server 2003 Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary privilege  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.