Share via

Administrative Security

In previous versions of this book, this section talked extensively about the use of administrative groups as a way to achieve some semblance of administrative security for your Exchange organization. In Exchange Server 2007, however, Microsoft has mostly done away with administrative groups, leaving only a single administrative group named Exchange Administrative Group (FYDIBOHF23SPDLT) in which only Exchange Server 2007 servers reside. This administrative group is present only to support coexistence with legacy Exchange servers.


The name of the Exchange administrative group, Exchange Administrative Group (FYDIBOHF23SPDLT), is pretty convoluted. Likewise, Exchange Server 2007’s legacy routing group, named Exchange Routing Group (DWBGZMFD01QNBJR), is also fairly convoluted. Have you wondered at all why Microsoft chose these particular names? First, Microsoft had to be careful that it didn’t choose a name that already exists in a customer’s legacy Exchange organization. Second, the Exchange team decided that a little creativity was in order. Look carefully at the two names. Both have the same number of characters with each letter and number occupying the same positions. To make a long story short, if you look at the administrative group’s name, you find you can go to the previous letter (or number) in the alphabet for each character in the name and spell “EXCHANGE12ROCKS.” Likewise, for the routing group, go to the next letter of the alphabet for each letter in the routing group name and you also get “EXCHANGE12ROCKS.” It’s really nice to see the product team having so much fun with a product that is generally considered all business!

Why did the Exchange team eliminate administrative groups from the Exchange equation? With the complete overhaul of the management interface and its new “area of responsibility” focus, administrative groups simply aren’t necessary and can add to the overall complexity of managing Exchange. Figure 19-4 gives you a side-by-side look at the legacy Exchange System Manager and the Exchange Server 2007 Exchange Management Console. With their absence in Exchange Server 2007, you need to use a way other than administrative groups to achieve administrative security. In this section, you learn two methods by which you can add users to act in various Exchange administrative capacities.


Figure 19-4 The Exchange Server 2003 Exchange System Manager is on the left and the Exchange Server 2007 Exchange Management Console is on the right.

The Built-in Exchange Administrative Groups

When you run the initial installation of Exchange Server 2007, five Active Directory universal security groups are created, each with specific rights to various parts of the Exchange organization. Four of the five groups, shown in Figure 19-5 inside Active Directory Users and Computers, pertain directly to management of the Exchange organization and are as follows:

  • Exchange View-Only Administrators This role allows you to view configurations on all Exchange objects, but not to make any changes to those configurations.
  • Exchange Servers This role provides the following rights:
    • Members of this group have all of the rights of Exchange View-Only Administrators.
    • Members of this group have access to server-based Exchange configuration information and to the Active Directory objects that are server-related.
    • Members of this group may perform server-based administration but cannot perform operations at the global Exchange organization level.
    • Members of this group are also members of the local Administrators group on each server on which Exchange Server 2007 is installed.
  • Exchange Recipient Administrators This role provides the following rights:
    • Members of this group have all of the rights of Exchange View-Only Administrators.
    • Members of the group are also allowed to configure any object related to recipients and public folders, including contacts, groups, public folder objects, Unified Messaging mailbox settings, Client Access mailbox settings, and any other recipient Exchange property found in Active Directory.
  • Exchange Organization Administrators This role provides the following rights:
    • Members of this group have all of the rights of Exchange Recipient Administrators, plus more.
    • Users assigned to this group are allowed to view and administer all aspects of the Exchange organization, including servers, and organizational configuration.
    • Members of the role are considered the owners of all Exchange-related Active Directory objects.
    • During Exchange Server 2007 installation, this group is added to the membership of the server’s local Administrators group. If you install Exchange Server 2007 on a domain controller, which is not recommended, Exchange Organization Administrators have additional rights by virtue of the local Administrators group having more rights on a domain controller.

If you want to add a full Exchange administrator to your organization, all you have to do is add the appropriate user account to the Exchange Organization Administrators group. The same holds true for the other security groups.


Figure 19-5 The Exchange Server 2007 built-in security group

The Add Exchange Administrator Wizard

Exchange Server 2007 also provides an easy way to add Exchange administrators with each administrator role having responsibility for only a specific part of the Exchange organization, such as a single server, a group of servers, or only able to manage recipients. You will find that this administrative delegation method is far more flexible and effective than administrative groups were in the past.

The best way to demonstrate how the Add Exchange Administrator operation works is to see it in action. To start the process, open the Exchange Management Console and select the Organization Configuration option, as shown in Figure 19-6.


Figure 19-6 The Organization Configuration window

Note that the work pane shown in Figure 19-6 shows you the groups that already have some level of permission to the Exchange organization. To add Exchange administrators, from the Action pane, choose Add Exchange Administrator. This selection displays a one-page wizard, shown in Figure 19-7.


Figure 19-7 The Add Exchange Administrator Wizard

There are three selections that you must make in order to complete this wizard.

First, select the user or group to which you want to grant Exchange administrative rights. Next, select the role and scope that should apply to the new Exchange administrator. Finally, if you’ve selected the Exchange Server Administrator role, select at least one server to which this new user or group has access. Click Add, and from the Select Exchange Server window, choose the desired servers. Figure 19-8 shows what the screen looks like after you select the Exchange Server Administrator role and add a managed server.


When you add someone to the Exchange Server Administrator role, you must manually add that user or group to each managed server’s local Administrators group.

In reality, when you run the Add Exchange Administrator wizard, the resulting command simply adds the selected users to one of the groups that you learned about in the section “The Built-in Exchange Administrative Groups.” The only role for which this does not hold true is for the Exchange Server Administrator role. When users or groups are assigned to this role, the user or group is assigned Full Control permission on the specified server object and all child objects.


Figure 19-8 Selecting the Exchange Server Administrator role

Management Shell

You can also manage administrative roles through the Exchange Management Shell.

The following command adds a user account that can manage the Exchange Server 2007 server named E2007-4:

Add-ExchangeAdministrator -Identity ' So' 
 -Role 'ServerAdmin' -Scope 'E2007-4'

If you add someone using Exchange Server Administrator role, you need to manually add the selected user or group to the built-in local administrators group on the target server.

This command adds a user to the Exchange Recipient Administrators role:

Add-ExchangeAdministrator -Identity ' So' 
    -Role 'RecipientAdmin'

This command adds a user to the Exchange View-Only Administrators role:

Add-ExchangeAdministrator -Identity ' So' 
    -Role 'ViewOnlyAdmin'

This command adds a user to the Exchange OrganizationAdministrators role:

Add-ExchangeAdministrator -Identity ' So' 
    -Role 'OrgAdmin'

Table 19-1 comes from Microsoft’s documentation on the role of roles in Exchange Server 2007 and provides a concise look at exactly what each administrative role accomplishes.


Table 19-1 Exchange Server Administrative Roles

< Back      Next >



© Microsoft. All Rights Reserved.