If you would like to read the next article in this series please go to: Exchange 2007 Permissions and Roles (Part 2)
If you have looked at or have deployed Exchange 2007, you are no doubt aware that there have been many significant changes over previous versions. The area of administrative permissions and security roles has changed somewhat in Exchange 2007 and in this article we will take a look at those changes. Also, we will look at several common permission issues and requirements that Exchange administrators come across in their day-to-day work.
Let us start by having a brief re-cap on how previous versions of Exchange handle the area of Exchange administration permissions. Exchange 2000 and Exchange 2003 come equipped with three different security roles that you can assign via the Delegation Wizard. These roles are:
- Exchange Full Administrator. This is the highest level possible and gives full access permissions throughout the Exchange organization. In addition, users with the Exchange Full Administrator role can also grant permissions to other Exchange administrators if required.
- Exchange Administrator. The Exchange Administrator role is essentially the same as the Exchange Full Administrator role although this role does not give the ability to grant permissions to other Exchange administrators.
- Exchange View-Only Administrator. This gives read-only access to the Exchange organization. In other words, it is possible to see the contents and settings of an Exchange organization, but not modify them.
These roles can be assigned via the Exchange Server Delegation Wizard at either organization or administrative group level, depending on your requirements. In a typical scenario, the main Exchange administrator would be granted Exchange Full Administrator rights at organization level. Other Exchange administrators who may look after Exchange servers within a specific administrative group would then be granted permissions only at administrative group level. However, assigning permissions at administrative group level has not always proved as granular as many organizations would have liked, since an administrator who has permissions at administrative group level has permissions to all servers within that administrative group. Further, you may remember from your reading that it is not possible to move Exchange 2000 or Exchange 2003 servers between administrative groups, even in native mode. The upshot here is that new Exchange servers need to be built in a different administrative group and the users move across. Some deployments have seen administrative groups created specifically to house various connectors, such as routing group connectors, so that administrators of other administrative groups do not have access to change the parameters on these connectors.
Exchange 2007 has addressed this requirement and others like it via the new administrator roles. Let us have a look at these new roles.
Exchange 2007 Administrator Roles
There are four different administrator roles that you can choose from in Exchange 2007. These are:
- Exchange Organization Administrators. This is the highest level to which you can assign a user or group and is synonymous with the Exchange Full Administrator role found in Exchange 2000 and Exchange 2003. For best practice security reasons, you should ensure that the number of users you assign to this role is minimal since they have rights to perform tasks across the entire Exchange organization.
- Exchange Recipient Administrators. Any user configured for this level of access has permissions to modify Exchange information on users, groups, contacts and public folders. Therefore, this role can be used for typical daily tasks such as creating and removing mailboxes and distribution groups.
- Exchange View-Only Administrators. As its name suggests, this roles gives read-only access to all global configuration data and Exchange recipients. Therefore, use of Exchange Management Shell (EMS) commands that retrieve information, such as Get-Mailbox, Get-MailboxDatabase and so on, require the Exchange View-Only Administrator role.
- Exchange Server Administrators. This role is a fundamental change over Exchange 2000 and Exchange 2003, since members of this role have permissions to administer one or more servers, but do not have any permissions over global configuration options. This gets around the problem of delegating access at administrative group level and the situation where an administrator may have access to servers that he or she should not have. Also, Exchange Server Administrators cannot uninstall an Exchange server; they can add and remove server roles, but they cannot remove the last server role and thus ultimately remove the Exchange server.
With the exception of the Exchange Server Administrators role, universal security groups for these roles are created in the Microsoft Exchange Security Groups Organizational Unit (OU) in the domain where the Exchange 2007 setup program was run with the /PrepareAD switch. These groups are shown in Figure 1.
Figure 1: Exchange Security Groups
Just a quick word here on the ‘ExchangeLegacyInterop’ group that you can see in Figure 1. This group contains Exchange 2000 or Exchange 2003 bridgehead servers, added when the routing group connector is created when the first Exchange 2007 Hub Transport server is installed into an existing Exchange 2000 or Exchange 2003 organization. This allows servers within the Exchange 2000 or Exchange 2003 organization to send and receive email with the Exchange 2007 servers. We will not be covering this group any further within this article, but I thought it useful to identify what this group is for.
What actually gets set during the /PrepareAD process? A lot of permissions are set at various levels and the Exchange 2007 help file covers these in detail. To give you an idea, let us look at some of the Exchange Organization Administrator role settings as an example. Using ADSIEdit, you can check the Security tab found on the properties of the Microsoft Exchange container to see what has been set. With ADSIEdit loaded and connected to the configuration naming context, expand the Configuration container and then the Services container. Right-click Microsoft Exchange and choose Properties from the context menu. Once the property window is open, choose the Security tab. Scroll down the list of group and user names until you find the Exchange Organization Administrators and notice that this role has full control over the Exchange organizational data. This is shown in Figure 2.
Figure 2: Exchange Organization Administrator Configuration Container Permissions
The Exchange Organization Administrator role is added as a member of the local Administrators group on the Exchange 2007 server once Exchange 2007 is actually installed. Also, the Exchange Organization Administrator role is given read access to all domain user containers in Active Directory via its membership of the Exchange Recipient Administrators role. With ADSIEdit connected to the domain naming context, right-click the relevant domain name and choose Properties from the context menu. Again, select the Security tab and scroll down until you find the Exchange Recipient Administrators role, where you will see that Read access has been granted. This is shown in Figure 3.
Figure 3: Exchange Recipient Administrator Domain Container Permissions
In Figure 4 below, the default administrative roles configured after Exchange 2007 have been set up. There are a couple of things to note. First, I have expanded the Identity column and removed the action pane for clarity. Second, I used the Administrator account to install Exchange and therefore this account has been delegated Exchange Organization Administrator role. You may remember that this is similar to Exchange 2003 where the account used to run the forestprep process was granted the Exchange Full Administrator role. Notice the Scope field and how it is always set to Organization wide. However, this is not the case for the Exchange Server Administrators group, as the scope varies depending upon which server or servers the administrator has access to. For example, in Figure 5 I have added User1 as an Exchange Server Administrator for the server named EXCHANGE; the scope field therefore reflects this. Note that User1 is also granted Exchange View-Only Administrator rights as part of this process.
Figure 4: Default Permissions
Figure 5: Exchange Server Administrator Scope
You can also use the Exchange Management Shell (EMS) to provide a list of Exchange administrators at any time. Using an account that has been delegated at least the Exchange View-Only Administrator role, the cmdlet to use is:
Get-ExchangeAdministrator
You may be wondering what error you actually get when you try to administer Exchange and you do not have the necessary rights. Consider Figure 6 below, which is seen when the user with Exchange View-Only Administrator rights attempts to add a new accepted domain within the EMC. The ‘Access is denied’ error is self-explanatory.
Figure 6: Insufficient Access Rights
Summary
In part one of this article, we have looked at the basics of what the Exchange administrator permissions roles are in Exchange 2007 and highlighted what they do. In part two, we will look at adding and removing administrators to these roles both via the EMC and the EMS and also look at a couple of common permissions-related tasks that Exchange administrators have to perform.
If you would like to read the next article in this series please go to: Exchange 2007 Permissions and Roles (Part 2)
