Organizations rarely implement a single level of administrative rights anymore because of the potential security problems that this can introduce. In larger organizations, for example, it's common to have several different administrators, each with permissions to manage a specific, contained aspect of the network. In smaller organizations, there often is a primary administrator who oversees a group of junior administrators. This tip explains the available administrative privileges in Exchange Server 2003 and Exchange Server 2007, and the differing levels of control that each admin role allows.
Exchange Server 2003 administrative roles
Exchange Server 2003 has different levels of administrative responsibility, and supports three types of administrative roles: Exchange Full Administrator, Exchange Administrator and Exchange View Only Administrator.
- Exchange Full Administrator : This role has total control over the Exchange organization, and can delegate administrative roles to other users.
- Exchange Administrator : This role is identical to the Exchange Full Administrator role, but the Exchange Administrator role lacks have the power to delegate administrative roles to other users.
- The Exchange View Only Administrator : In Exchange Server 2003, this role is intended for administrators to use during training. The Exchange View Only Administrator role gives administrators-in-training the ability to browse
- through the Exchange System Manager (ESM), but no power to make any changes.
While creating various administrative roles was a step in the right direction, those used in Exchange Server 2003 are somewhat broad in scope. For example, Exchange Server 2003 doesn't allow you to appoint a user as an Exchange Administrator over one server, and not another. If a user is an Exchange Administrator, he has administrative control over the entire Exchange organization.
Exchange Server 2007 administrative roles
Microsoft revised the administrative roles in Exchange Server 2007 to allow organizations to delegate specific management responsibilities to various administrators. There are four different administrative roles in Exchange 2007: Exchange Organization Administrators, Exchange Recipient Administrators, Exchange Server Administrators and Exchange View Only Administrators.
- Exchange Organization Administrator : This role is the most powerful of the Exchange Server 2007 administrative roles. An administrator who has been assigned to this role has full control over the entire Exchange 2007 organization. The Exchange Organization Administrator role is required for any administrator who must make high-level changes to the organization. For example, an administrator must be assigned the Exchange Organization Administrator role if he wants to create a connector, or make any other type of organization-level change.
- Exchange Recipient Administrator : This role was created for organizations with staff dedicated to the task of managing Exchange mailboxes, including unified messaging-enabled mailboxes. Administrators who have been assigned the Exchange Recipient Administrator role are granted read access to Active Directory's Domain Users container, assuming that DomainPrep has been run against the domain.
- Exchange Server Administrator : The Exchange Server Administrator role was created for situations in which an administrator wants to grant another administrator control over a specific Exchange server, but not the entire Exchange organization.
The powers of an Exchange Organization Administrator aren't limited to the organization level. These administrators can also manage recipients and Exchange servers, just as an Exchange Full Administrator would be able to in Exchange 2003.
Exchange Recipient Administrators are also granted write access to any Exchange-specific attributes of the user objects within a domain. This means that they can see all user accounts within a domain, but can only make changes to those accounts if the changes relate to the users' mailboxes.
When Exchange Server 2007 is installed onto a server, Setup creates a security group named Exchange Server Administrator <servername>. Administrators with the Exchange Server Administrator control are members of this group, and have full control over the server in question. The administrator will have full access to all of the server's configuration data, and can take on the role of a local Windows administrator (not a domain administrator). Exchange Server Administrators also appointed to the role of Exchange View-only Administrators.
While Exchange Server Administrators have total control over a specific server, they cannot manage recipients. This role is used most often to allow an administrator in a branch office to maintain an Exchange Server located within that office.
- Exchange View Only Administrator : The Exchange View Only Administrators role in Exchange Server 2007 works the same as it did in Exchange 2003. Exchange View Only Administrators have read access to the entire Exchange organization, but cannot modify existing settings.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.
Do you have comments on this tip? Let us know.
Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.
This was first published in November 2007