Exchange 2000 Server and Exchange Server 2003 were the first versions to include varying levels of administrative
control. As Exchange Server evolved, so did these controls.
Exchange Server 2007 includes four different administrative roles; being familiar with each will only help you grasp the changes Microsoft made to Exchange Server 2010.
Exchange Server 2007 administrative roles include:
- Exchange Organization Administrator: As the highest level of control over an Exchange Server 2007 organization, this role has no restrictions. Exchange Organization Administrator is the Exchange 2007 equivalent to the Exchange Full Administrator role in Exchange 2000 Server and Exchange 2003.
- Exchange Recipient Administrator: This role is intended for performing day-to-day management tasks like creating mailboxes. It allows you to work with users, groups, contacts and public folders, but doesn't allow organization- or server-level administration.
- < p>
- Exchange Server Administrator: Exchange 2000 and Exchange Server 2003 had the similarly named Exchange Administrator role; however, that changed in Exchange Server 2007. In Exchange 2007, an admin can be given administrative permission over individual Exchange servers without being able to make organizational-level changes. Admins with this role are also prohibited from uninstalling Exchange.
- Exchange View Only Administrator: This role was carried over from Exchange 2000 Server and Exchange 2003. It provides you read-only access to an entire Exchange organization. Since this role doesn't let you make any changes to the Exchange organization, it's primarily used for training purposes.
The administrative permissions used in Exchange Server 2007 are an improvement over what was previously available, but the permissions aren't exactly granular. To achieve granular control over Exchange management permissions, many organizations combine a few of these permissions and access control lists (ACLs). Although this technique works, it's complicated and may have unintentional side effects if implemented incorrectly.
Exchange Server 2010 administrative controls
Microsoft designed Exchange Server 2010 to use a new administrative model called Role Based Access Control (RBAC). RBAC gives you broad and granular control over an Exchange organization. These controls can also be applied to end users using self-service mechanisms that are built into the Exchange Control Panel.
There are two primary tools you can use to assign administrative permissions in Exchange Server 2010: management role groups and management role assignment policies. A third option -- direct user role assignment -- is seldom used.
Management role groups are used to grant administrative permissions. For example, you would use this role to give a user administrative control over an Exchange server.
Management role assignment policies give users management permissions over some aspects of their own mailbox. For example, this role allows a user to update his or her contact information.
Management role groups are the primary method used to manage administrative permissions in Exchange Server 2010. A management role group is actually a special type of universal group. Like any other universal group, a management role group contains a set of members.
The management role group is linked to a management role via a management role assignment. Essentially, the management role defines the tasks that the members of the management role group can perform.
The management role assignment can be linked to a management role scope, which limits where the group members can exercise given permissions. With this role assignment, you could create a management role scope that limits group members to manage a specific server or organizational unit, for example.
There are about 12 role groups that are defined by default. To view these role groups, open the Exchange Management Shell and enter the Get-RoleGroup command.
As you can see in Figure 1, legacy management roles have been rolled into the management role groups.
Exchange Server 2010 management role groups don't always line up exactly with their Exchange Server 2007 counterparts, but some role groups are roughly equivalent to the administrative permissions found in Exchange Server 2007. Table 1 compares both versions.
Table 1. Exchange Server 2007 role groups and their Exchange Server 2010 counterparts.
|Exchange Server 2007 administrative roles||Exchange Server 2010 management role group name|
|Exchange Organization Administrator||Organization Management|
|Exchange Recipient Administrator||Recipient Management|
|Exchange Server Administrator||Server Management|
|Exchange View Only Administrator||View-Only Organization|
About the author: Brien M. Posey, MCSE, is a six-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.
Do you have comments on this tip? Let us know.