Exchange Admin 101: Exchange 2003 and Exchange 2007 admin privileges

Organizations rarely implement a single level of administrative rights anymore because of the potential security problems that this can introduce. In larger organizations, for example, it's common to have several different administrators, each with permissions to manage a specific, contained aspect of the network. In smaller organizations, there often is a primary administrator who oversees a group of junior administrators. This tip explains the available administrative privileges in Exchange Server 2003 and Exchange Server 2007, and the differing levels of control that each admin role allows.

Exchange Server 2003 administrative roles

Exchange Server 2003 has different levels of administrative responsibility, and supports three types of administrative roles: Exchange Full Administrator, Exchange Administrator and Exchange View Only Administrator.

• Exchange Full Administrator: This role has total control over the Exchange organization, and can delegate administrative roles to other users.

• Exchange Administrator: This role is identical to the Exchange Full Administrator role, but the Exchange Administrator role lacks have the power to delegate administrative roles to other users.

• The Exchange View Only Administrator: In Exchange Server 2003, this role is intended for administrators to use during training. The Exchange View Only Administrator role gives administrators-in-training the ability to browse through the Exchange System Manager (ESM), but no power to make any changes.

While creating various administrative roles was a step in the right direction, those used in Exchange Server 2003 are somewhat broad in scope. For example, Exchange Server 2003 doesn't allow you to appoint a user as an Exchange Administrator over one server, and not another. If a user is an Exchange Administrator, he has administrative control over the entire Exchange organization.

Exchange Server 2007 administrative roles

Microsoft revised the administrative roles in Exchange Server 2007 to allow organizations to delegate specific management responsibilities to various administrators. There are four different administrative roles in Exchange 2007: Exchange Organization Administrators, Exchange Recipient Administrators, Exchange Server Administrators and Exchange View Only Administrators.

• Exchange Organization Administrator: This role is the most powerful of the Exchange Server 2007 administrative roles. An administrator who has been assigned to this role has full control over the entire Exchange 2007 organization. The Exchange Organization Administrator role is required for any administrator who must make high-level changes to the organization. For example, an administrator must be assigned the Exchange Organization Administrator role if he wants to create a connector, or make any other type of organization-level change.

  The powers of an Exchange Organization Administrator aren't limited to the organization level. These administrators can also manage recipients and Exchange servers, just as an Exchange Full Administrator would be able to in Exchange 2003.

• Exchange Recipient Administrator: This role was created for organizations with staff dedicated to the task of managing Exchange mailboxes, including unified messaging-enabled mailboxes. Administrators who have been assigned the Exchange Recipient Administrator role are granted read access to Active Directory's Domain Users container, assuming that DomainPrep has been run against the domain.

  Exchange Recipient Administrators are also granted write access to any Exchange-specific attributes of the user objects within a domain. This means that they can see all user accounts within a domain, but can only make changes to those accounts if the changes relate to the users' mailboxes.

• Exchange Server Administrator: The Exchange Server Administrator role was created for situations in which an administrator wants to grant another administrator control over a specific Exchange server, but not the entire Exchange organization.

Related resources: Delegation of administrative authority in Exchange 2003 How to configure admin rights to access an Exchange 2003 mailbox 5 tips in 5 minutes: Securing Exchange Server 2003 Microsoft Exchange Server 2007 Reference Center

When Exchange Server 2007 is installed onto a server, Setup creates a security group named Exchange Server Administrator <servername>. Administrators with the Exchange Server Administrator control are members of this group, and have full control over the server in question. The administrator will have full access to all of the server's configuration data, and can take on the role of a local Windows administrator (not a domain administrator). Exchange Server Administrators also appointed to the role of Exchange View-only Administrators.

While Exchange Server Administrators have total control over a specific server, they cannot manage recipients. This role is used most often to allow an administrator in a branch office to maintain an Exchange Server located within that office.

• Exchange View Only Administrator: The Exchange View Only Administrators role in Exchange Server 2007 works the same as it did in Exchange 2003. Exchange View Only Administrators have read access to the entire Exchange organization, but cannot modify existing settings.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft Exchange Server Permissions Set Outlook calendar permissions for group to view private meetings Selectively set email permissions for Exchange groups Public folder permissions fail in Exchange mixed mode Configure admin rights to access Exchange 2003 mailbox Share a user's calendar without giving access to the entire mailbox How to prevent a user from moving an Exchange Server shared calendar to personal mailbox Creating an ethical firewall in Exchange Server 2007 'You do not have permission to send to this recipient' errors Securing Exchange Server 2003 -- 5 tips in 5 minutes User cannot access Exchange public folder subfolders Microsoft Exchange Server 2007 Re-enable Exchange Server 2007 remote streaming backups in SP1 How to use Exchange Management Shell's Filter command How to use the Exchange Management Shell command syntax Secure Edge Transport servers using the Security Configuration Wizard What is Windows Server 2008's impact on an Exchange 2007 migration? Is it time to upgrade users' Windows Mobile devices? Customizing Outlook Web Access (OWA) in Exchange Server 2007 Managing an Exchange 2007 Cluster Continuous Replication (CCR) setup Monitor mail flow with the Exchange Server 2007 Queue Viewer tool Create a global Safe Senders List in Exchange 2007 to filter spam Microsoft Exchange Server 2007 Research Microsoft Exchange Server 2003 Why Exchange ActiveSync fails with NAT firewalls Is it time to upgrade users' Windows Mobile devices? Top 10 Microsoft Exchange Server 2003 registry hacks Use Performance Monitor to detect Exchange 2003 message queue problems How to set up email disclaimers on a single, back-end Exchange server How to customize OWA authentication logon in Exchange Server 2003 Can a deleted transaction log be restored in Exchange Server 2003? Improve Exchange 2003 Internet connectivity, mail flow and performance Can I selectively archive Exchange Server 2003 email messages? How to back up and restore Exchange data with recovery storage groups Microsoft Exchange Server 2003 Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary privilege  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.