Microsoft Exchange Server 2016 Built-in Management Role Groups

_________________________________________________________________________________________________________________________________________________________________

__________________________________________________________________________________________________________________________________________________________________

Summary

As in previous Microsoft Exchange Server versions, Exchange Server 2016 contains a default set of groups that you can use to assign permissions in the Exchange Server organization, such as in a scenario where you have to assign view only access or Help Desk only access so that your help desk can only perform help desk related tasks. For most organizations, the default set of role groups provide all required flexibility. Only organizations with very specific permission-delegation requirements need to use custom management role groups and management roles. Exchange Server 2016 includes several built-in role groups that you can use to provide varying levels of administrative permissions to user groups.

Role Groups & Descriptions

We can add users to, or remove them from, any built-in role group. We can also add or remove role assignments to or from most role groups.

Organization Management:-

Role holders have access to the entire Exchange Server 2016 organization and can perform almost any task against any Exchange Server object.
View-Only Organization Management:-
Role holders can only view the properties of any object in the organization.
Recipient Management:-
Role holders have access to create or modify Exchange Server 2016 recipients within the Exchange Server organization.
UM Management:-
Role holders can manage the Unified Messaging (UM) features within the organization, such as UM server configuration, properties on mailboxes, prompts, and auto-attendant configuration.
Discovery Management:-
Role holders can perform searches of mailboxes in the Exchange Server organization for data that meets specific criteria.
Records Management:-
Role holders can configure compliance features, such as retention policy tags, message classifications, and transport rules. Role holders also can export audit logs.
Server Management:-
Role holders have access to Exchange Server configuration. They do not have access to administer recipient configuration.
Help Desk:-
Role holders can perform limited recipient management.
Public Folder Management:-
Role holders can manage public folders and databases on Exchange servers.
Delegated Setup:-
Role holders can deploy previously provisioned Exchange servers.
Compliance Management:-
Role holders can configure and manage compliance settings, such as data loss prevention (DLP) policies and Information Rights Management (IRM) configuration.
Hygiene Management:-
Role holders can manage Exchange Server anti-spam features and grant permissions for antivirus products to integrate with Exchange Server.

Conclusions

All of these role groups are located in the Microsoft Exchange Server Security Groups OU in the forest root domain of AD DS. We can assign the role as per the administrator jobs & responsibility. In this way we can have a better control on Exchange organization and we can also track the changes done by each Exchange administrator.