Del via


Server Management

Applies to: Exchange Server 2013

The Server Management management role group is one of several built-in role groups that make up the Role Based Access Control (RBAC) permissions model in Microsoft Exchange Server 2013. Role groups are assigned one or more management roles that contain the permissions required to perform a given set of tasks. The members of a role group are granted access to the management roles assigned to the role group. For more information about role groups, see Understanding management role groups.

Administrators who are members of this role group can configure server-specific configuration of transport client access, and mailbox features such as database copies, certificates, transport queues and Send connectors, virtual directories, and client access protocols.

This role group is similar to the Exchange Server Administrators role in Microsoft Exchange Server 2007. It grants access to manage the configuration of physical servers. However, unlike the Exchange Server Administrators role in Exchange 2007, which provided access only to a local server running Exchange 2007, the Server Management role group enables access to view and configure all Exchange Server 2010 servers in the organization.

If you want to allow administrators to manage only specific servers in your organization, you can change the management scopes that are applied to this role group. Alternatively, you can create a role group, based on the Server Management role group, and customize the management scopes on the new role group. For more information, see the "Role Group Customization" section later in this topic.

For more information about RBAC, see Understanding Role Based Access Control.

Role group membership

If you want to add or remove members to or from this role group, see Manage role group members.

By default, only members of the Organization Management role group can add or remove members from this role group. For more information about how to add additional role group delegates, see the "Add or remove a role group delegate" section in Manage role groups.

You can use the following command to view a list of users or universal security groups (USGs) that are members of this role group.

Get-RoleGroupMember "Server Management"

For more information about the members of a role group, see View the members of a role group in Manage role group members.

Role group customization

This role group is assigned management roles by default. The roles that are included are listed in the "Management Roles Assigned to this Role Group" section. You can add or remove role assignments to or from this role group to match the needs of your organization.

The role groups provided with Exchange 2013 are designed to match more granular tasks. By assigning roles to a role group, you enable the members of that role group to perform the tasks associated with the role. For example, the Journaling role enables the management of the Journaling agent and journaling rules. For more information about how roles are assigned to role groups, see Understanding management role assignments.

The roles assigned to this role group are given default management scopes. Management scopes determine what Exchange objects can be viewed or modified by the members of a role group. You can change the scopes associated with assignments between roles and role groups. For example, you might want to do this if you only want members of a role group to be able to change recipients that are under a specific organizational unit or in a specific location. For more information about management scopes, see Understanding management role scopes.

For more information about how to customize this role group, see the following topics:

If you want to create a role group and assign some of the roles that are assigned to this role group to the new role group, see the "Create a role group" section in Manage role groups.

Management roles assigned to this role group

The following table lists all the management roles that are assigned to this role group and the following attributes of each role assignment:

  • Regular assignment: Enables members of the role group to access the management role entries made available by the associated management role.
  • Delegating assignment: Gives members of the role group the ability to assign the specified role to other role groups, role assignment policies, users, or USGs.
  • Recipient read scope: Determines what recipient objects members of the role group are allowed to read from Active Directory.
  • Recipient write scope: Determines what recipient objects members of the role group are allowed to modify in Active Directory.
  • Configuration read scope: Determines what configuration and server objects members of the role group are allowed to read from Active Directory.
  • Configuration write scope: Determines what organizational and server objects members of the role group are allowed to modify in Active Directory.

For more information about role assignments and management scopes, see the following topics:

Management role Regular assignment Delegating assignment Recipient read scope Recipient write scope Configuration read scope Configuration write scope
Database Copies role X Organization Organization OrganizationConfig OrganizationConfig
Databases role X Organization Organization OrganizationConfig OrganizationConfig
Exchange Connectors role X Organization Organization OrganizationConfig OrganizationConfig
Exchange Server Certificates role X Organization Organization OrganizationConfig OrganizationConfig
Exchange Servers role X Organization Organization OrganizationConfig OrganizationConfig
Exchange Virtual Directories role X Organization Organization OrganizationConfig OrganizationConfig
Monitoring role X Organization Organization OrganizationConfig OrganizationConfig
POP3 and IMAP4 Protocols role X Organization Organization OrganizationConfig OrganizationConfig
Receive Connectors role X Organization Organization OrganizationConfig OrganizationConfig
Transport Queues role X Organization Organization OrganizationConfig OrganizationConfig