Setting Administrator Permissions for the Edge Transport Server Role

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

This topic provides an overview of the permissions that a user must have to administer a computer that has the Microsoft Exchange Server 2010 Edge Transport server role installed.

Edge Transport Server Role Permissions

The Edge Transport server role is deployed in an organization's perimeter network, which is also known as the boundary network or screened subnet. The Edge Transport server can be deployed as a stand-alone server or as a member of a perimeter Active Directory domain.

When the Exchange 2010 Edge Transport server role is installed, no Exchange-specific groups are created. The Administrators local group is granted full control of the Edge Transport server. The Administrators local group control includes the instance of Active Directory Lightweight Directory Services (AD LDS) on the Edge Transport server. When you log on by using an account that has Administrators local group membership, you can modify the server configuration, the status of queues and messages in transit, the security configuration of the server, and AD LDS data.

You perform remote administration of Edge Transport servers by using Microsoft Windows Terminal Services. The Administrators local group is automatically granted remote logon permissions. Other user accounts must have membership in the Remote Desktop Users local group to log on to the server by using a remote desktop connection. We recommend that you create a specific user account for each user who administers an Edge Transport server. You must add these user accounts to the Administrators local group to make sure that the correct access level is granted.

Permissions That Are Required to Administer the Edge Transport Server

The following table lists the common administrative tasks that are performed on the Edge Transport server and the group memberships that are required to complete each task successfully. You can use this information to delegate server administration.

Administrative tasks and group membership requirements

Task Required group membership

Backup and restore

Backup Operators

Enable and disable agents

Administrators

Configure connectors

Administrators

Configure anti-spam policies

Administrators

Configure IP Block lists and IP Allow lists

Administrators

View queues and messages

Users

Manage queues and messages

Administrators

Create an Edge Subscription file

Administrators

 © 2010 Microsoft Corporation. All rights reserved.