Permission Considerations

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

When planning how to integrate Microsoft Exchange Server 2007 into your Active Directory directory service structure, consider the administrative model in your organization. With Exchange 2007, you have flexibility in how you assign permissions to administrators. Generally, we recommend that you consider how the following capabilities of Active Directory and Exchange 2007 affect the way that you organize your administrative roles:

  • A single administrator can perform tasks for both Microsoft Windows Server 2003 and Exchange.

  • You can split permissions between Exchange administrators and Windows administrators.

  • You can isolate the Exchange administrator roles and the Windows administrator roles by using an Exchange resource forest.

The sections in this topic describe the flexibility of permissions configuration and the administrative roles available in Exchange 2007.

Understanding the Exchange and Active Directory Split Permissions Model

In many Microsoft Exchange organizations, especially in medium and large organizations, there may be more than one Exchange administrator. Because these administrators can perform a specific set of administration tasks, Exchange Server 2007 provides predefined administrator roles and a split permissions model that allow you to configure specific permissions in Active Directory for various administrative roles in your organization. In Exchange 2007, permissions on Exchange recipient attributes are grouped together. This minimizes the manual permission configuration that you must do to split Exchange permissions from other administrative permissions. For more information about how to plan and implement your permissions model, see the following topics:

Changes to the Security and Permission Model

The security and permissions model from Exchange Server 2003 has changed for Exchange 2007. This section provides information about the changes to the Exchange permissions model and describes the differences.

Property Sets

A property set is a grouping of Active Directory attributes. You can control access to this grouping of Active Directory attributes by setting one access control entry (ACE) instead of setting an ACE on each property. The property set that groups all Exchange recipient attributes is called e-mail information.

Note

Exchange Server 2003 security groups that had permission to access the recipient properties on Exchange Server 2003 servers will have permission to access the Exchange 2007 e-mail information property set, as long as you use Exchange 2007 Setup.Com or Setup.Com with the /PrepareAD parameter to update the Active Directory schema.

For more information on property sets, see Property Sets in Exchange 2007.

Exchange 2003 Security and Permissions Model

To help simplify management of permissions, Exchange Server 2003 provided predefined security roles that were available in the Exchange 2003 Administrative Delegation Wizard. These roles were a collection of standardized permissions that could be applied at either the organization or the administrative group level.

In Exchange 2003, the following security roles were available through the Delegation Wizard in Exchange System Manager:

  • Exchange Full Administrator

  • Exchange Administrator

  • Exchange View Only Administrator

This model had the following limitations:

  • A lack of specificity. The Exchange Administrator group was too large, and some customers wanted to manage their security and permissions model at the individual server-level.

  • A perception that the Exchange Server 2003 security roles only differed in subtle ways.

  • There was no clear separation between administration of users and groups by the Windows (Active Directory) administrators and Exchange recipient administrators. For example, to perform Exchange recipient related tasks, you had to grant Exchange administrators high level permissions (Account Operator permissions on Windows domains).

Exchange 2007 Security and Permissions Model

To improve the management of your Exchange administrator roles, which were called "security groups" in Exchange 2003, the following new or improved features have been made to the Exchange security and permissions model:

  • New administrator roles that are similar to the built-in Windows Server security groups. For more information about these administrator roles, see "Administrator Roles in Exchange 2007" later in this topic.

  • You can use the Exchange Management Console (formerly Exchange System Manager) and the Exchange Management Shell to view, add, and remove members from any administrator role.

Administrator Roles in Exchange 2007

Exchange 2007 has the following predefined groups that manage Exchange configuration data:

  • Exchange Organization Administrators

  • Exchange Recipient Administrators

  • Exchange View-Only Administrators

  • Exchange Public Folder Administrators (New in Exchange Server 2007 Service Pack 1)

During the Exchange Setup /PrepareAD phase (the organization-preparation phase that is similar to Exchange 2003 ForestPrep), these Exchange Administrator roles (except Exchange Server Administrators) are created in a new Microsoft Exchange security group's organizational unit (OU) that is located in the domain where /PrepareAD was run.

When you add an administrator role to a user, that user inherits the permissions that are permitted by that role. These administrator roles have permissions to manage Exchange data in Active Directory. There are three types of Exchange data that can be managed by these groups:

  • Global Data   This is data in an Active Directory configuration container that is not associated with a particular server. This data includes, but is not limited to, mailbox policies, address lists, and Exchange Unified Messaging configuration. Global data generally affects the whole organization and can potentially affect all users. As a best practice, allow only a few trusted users to configure or change global data.

  • Recipient Data   Recipients in Exchange are Active Directory user objects that can receive or send e-mail messages. Examples of recipient data include mail-enabled contacts, distribution groups, mailboxes, and specific recipient types such as public folder proxy objects.

  • Server Data   Exchange server data is contained in Active Directory under the specified server’s node. Examples of this data include receive connectors, virtual directories, per-server settings, and mailbox and storage group data.

Exchange Organization Administrators Role

The Exchange Organization Administrators role gives administrators full access to all Exchange properties and objects in the Exchange organization. During Exchange setup, in the root domain, Setup /PrepareAD creates the Active Directory security group named Exchange Organization Administrators in the Microsoft Exchange Security Groups container of Active Directory Users and Computers.

When you add a user to the Exchange Organization Administrators role, that user becomes a member of the administrator role called Exchange Organization Administrators. Exchange 2007 creates this role during Active Directory preparation. Members of the Exchange Organization Administrators role have the following permissions:

  • Owners of the Exchange organization in the configuration container of Active Directory. As owners, members of the role have full control over the Exchange organization data in the configuration container in Active Directory and the local Exchange server Administrator group.

  • Read access to all domain user containers in Active Directory. Exchange grants this permission during setup of the first Exchange 2007 server in the domain, for each domain in the organization. These permissions are granted by being a member of the Exchange Recipient Administrator role.

  • Write access to all Exchange-specific attributes in all domain user containers in Active Directory. Exchange 2007 grants this permission during setup of the first Exchange 2007 server in the domain, for each domain in the organization. These permissions are granted by being a member of the Exchange Recipient Administrator role.

  • Owner of all local server configuration data. As owners, members have full control over the local Exchange server. Exchange 2007 grants this permission during setup of each Exchange server.

Users who are members of the Exchange Organization Administrators role have the highest level of permissions in the Exchange organization. All tasks that affect your whole Exchange organization will require membership in this group. Examples of tasks that require Exchange Organization Administrator permissions include creating or deleting connectors, changing server policies, and changing any global configuration settings.

Note

When you install Exchange 2007, Setup will add the Exchange Organization Administrators role as a member of the local Administrators group on the computer on which you are installing Exchange. Be aware that the local Administrators group on a domain controller has different permissions than the local Administrators group on a member server. If you install Exchange 2007 on a domain controller, the users in the Exchange Organization Administrators role will have additional Windows permissions that they do not have if you install Exchange 2007 on a computer that is not a domain controller.

Exchange Recipient Administrators Role

The Exchange Recipient Administrators role has permissions to modify any Exchange property on an Active Directory user, contact, group, dynamic distribution list, or public folder object. During Exchange Setup /PrepareAD, the Exchange Recipient Administrator role is created in the Microsoft Exchange Security Groups container in Active Directory. This role also lets you manage Unified Messaging mailbox settings and Client Access mailbox settings. Members of the Exchange Organization Recipient Administrators role have the following permissions:

  • Read access to all the Domain User containers in Active Directory that have had Setup /PrepareDomain run in those domains.

  • Write access to all the Exchange specific attributes on the Domain User containers in Active Directory that have had Setup /PrepareDomain run in those domains.

  • Membership in the Exchange View-Only Administrator role.

Users who are members of the Exchange Recipient Administrators role will not have permissions to Domains where Setup /PrepareDomain has not been run. When you add a new Exchange domain, make sure that you run Setup /PrepareDomain in the new domain to grant permissions to the Exchange administrator roles in that domain.

Exchange Server Administrators Role

The Exchange Server Administrators role has access to only local server Exchange configuration data, either in the Active Directory or on the physical computer on which Exchange 2007 is installed. Users who are members of the Exchange Server Administrators role have permissions to administer a particular server, but do not have permissions to perform operations that have global impact in the Exchange organization.

Exchange 2007 creates this administrator role during setup. Members of the Exchange Server Administrator role have the following permissions:

  • Owner of all local server configuration data. As owners, members of the role have full control over the local server configuration data.

  • Local administrator on the computer on which Exchange is installed.

  • Members of the Exchange View-Only Administrators role.

Exchange View-Only Administrators

The Exchange View-Only Administrators role has read-only access to the whole Exchange organization tree in the Active Directory configuration container, and read-only access to all the Windows domain containers that have Exchange recipients.

During Exchange Setup /PrepareAD, the Exchange View-Only Administrators role is created in the Microsoft Exchange Security Groups container in Active Directory.

Exchange Public Folder Administrators

New in Exchange 2007 Service Pack 1 (SP1)

The Exchange Public Folder Administrators role has administrative permissions to manage all the public folders. This administrator role is granted the "Create top level public folder" extended right. Members of this role can create and delete public folders, and manage public folder settings such as replicas, quotas, age limits, administrative permissions, and client permissions. This administrator role can mail-enable public folders, but it cannot modify mail recipient-related properties on public folders, such as proxy addresses. That capability requires membership in the Exchange Recipient Administrators role.

Summary of Administrator Roles and Permissions

The following table lists the Exchange 2007 administrator roles and their related Exchange permissions.

Administrator role Members Member of Exchange permissions

Exchange Organization Administrators

Administrator, or the account that was used to install the first Exchange 2007 server

Exchange Recipient Administrator

Administrators local group of <Server Name>

Full control of the Microsoft Exchange container in Active Directory

Exchange Recipient Administrators

Exchange Organization Administrators

Exchange View-Only Administrators

Full control of Exchange properties on Active Directory user object

Exchange Server Administrators

 

Exchange View-Only Administrators

Administrators local group of <Server Name>

Full control of Exchange <Server Name>

Exchange View-Only Administrators

Exchange Recipient Administrators

Exchange Public Folder Administrators

Exchange Recipient Administrators

Exchange Server Administrators

Read access to the Microsoft Exchange container in Active Directory.

Read access to all the Windows domains that have Exchange recipients.

Exchange Servers

Each Exchange 2007 computer account

Exchange View-Only Administrators

Special

Exchange Public Folder Administrators

Exchange Organization Administrators

Exchange View-Only Administrators

Ability to administratively manage public folders.

Address Book Attributes

Exchange uses many attributes to store Exchange data. Exchange also uses other recipient attributes that can be used by other directory-aware applications that use the Exchange data. Therefore, these attributes were not added to the Exchange-specific property sets. These attributes may reside in other property sets created during Active Directory installation or they may not belong to any property set.

The attributes listed in the following table are the data that is provided to end-users via Microsoft Office Outlook in the Global Address List (GAL). If an Exchange administrator requires the ability to update these attributes and is not a member of a domain privileged security group, such as the Account Operators group, the Active Directory administrator must grant read/write permission.

Applies to object Exchange Management Console location Attribute Description

User, Contact

User Information or Contact Information tab in User or Contact properties

givenName

First name

User, Contact

User Information or Contact Information tab in User or Contact properties

initials

Middle initial

User, Contact

User Information or Contact Information tab in User or Contact properties

sn

Last name

User, Contact

User Information or Contact Information tab in User or Contact properties

info

Notes field

User, Contact

Address and Phone tab in User or Contact properties

streetAddress

Street address

User, Contact

Address and Phone tab in User or Contact properties

l

City

User, Contact

Address and Phone tab in User or Contact properties

st

State/Province

User, Contact

Address and Phone tab in User or Contact properties

postalCode

ZIP/Postal code

User, Contact

Address and Phone tab in User or Contact properties

countryCode

Country/Region

User, Contact

Address and Phone tab in User or Contact properties

telephoneNumber

Business phone

User, Contact

Only available in the Exchange Management Shell

otherTelephoneNumber

Alternative business phone

User, Contact

Address and Phone tab in User or Contact properties

pager

Pager

User, Contact

Address and Phone tab in User or Contact properties

facsimileTelephoneNumber

Fax

User, Contact

Address and Phone tab in User or Contact properties

homePhone

Home phone

User, Contact

Only available in the Exchange Management Shell

otherHomePhone

Alternative home phone

User, Contact

Address and Phone tab in User or Contact properties

mobile

Mobile phone

User, Contact

Only available in the Exchange Management Shell

otherfacsimileTelephoneNumber

Alternative fax

Contact

Only available in the Exchange Management Shell

telephoneAssistant

Assistant phone

Contact

Active Directory Service Interfaces (ADSI) Edit/LDAP

telephoneAssistant

Assistant phone

User, Contact

Organization tab in User or Contact properties

title

Title

User, Contact

Organization tab in User or Contact properties

company

Company

User, Contact

Organization tab in User or Contact properties

department

Department

User, Contact

Organization tab in User or Contact properties

physicalDeliveryOfficeName

Office

User, Contact

Organization tab in User or Contact properties

manager

Manager

User, Contact

Organization tab in User or Contact properties

directReports

Direct reports

User, Contact

Only available in the Exchange Management Shell

msExchAssistantName

Assistant name

Group

Group Information tab in Group properties

managedBy

Group owner

Group

Group Information tab in Group properties

info

Notes field

For More Information

For information about how to delegate permissions by using the Exchange administrative roles, see Add-ExchangeAdministrator.

For information about how to prepare Active Directory and your domains for Exchange 2007, see How to Prepare Active Directory and Domains.