Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.
If you need some help managing Exchange, but you have reservations about giving someone else complete control over your Exchange organization, you will be happy to know that there are a number of ways in which Exchange allows you to limit the scope of another administrator's power.
First, Exchange lets you decide at what level within the organization you want to grant administrative authority. You have two different choices: organization level permissions or administrative group level permissions.
Organization level permissions allow control over the entire Exchange organization. Depending on the permissions you actually assign, a person might not have full control, but he will have some level of control over your entire Exchange organization.
If you don't want another administrator to have quite that much power, you can assign him permissions at the administrative group level. In Exchange Server 2003, an administrative group can contain servers (and their corresponding databases and other resources), system policies, routing groups and folders. If you prefer this option, just create a new administrative group, give the administrator in question access to that group, and then move the necessary resources into it.
To give an administrator either type of Exchange permissions, right click on either the organization or the administrative group and select the Delegate Control command. Exchange System Manager (ESM) will launch a wizard, which will walk you through how to delegate control to either a user or group (groups are usually preferred over individual users).
After you specify the user or group, the wizard will ask you what kind of permissions you want to grant the new administrator.
Permissions within Exchange are a little bit different than Windows permissions that you might be used to. Rather than having choices such as read, write, delete and modify, you have Exchange View Only Administrator, Exchange Administrator and Exchange Full Administrator.
I like to think of the Exchange View Only Administrator permission as training mode. Someone with Exchange View Only Administrator permissions can see all the Exchange objects in the area over which they have authority and how they're configured -- but can't make any changes.
For example, if you hire a new staff member who is a Windows server expert, but has never touched Exchange before, you wouldn't want to just turn him loose on Exchange with full permissions right away. If you give him Exchange View Only Administrator permissions, he can explore ESM and learn how Exchange works, without you having to worry about anything getting broken.
The Exchange Administrator and Exchange Full Administrator permissions are similar to each other. Both give full control over the delegated area. The difference is that someone with Exchange Full Administrator permissions has the right to delegate administrative access to other people; someone with Exchange Administrator permissions does not. But, an Exchange Full Administrator can only delegate control over the area that he himself has been given control over.
If you are thinking of delegating Exchange Administrator or Exchange Full Administrator permissions to someone, keep in mind that Windows-level permissions are not automatically assigned. The easiest way to accomplish this task is to create a domain-level group called Exchange Admins. You can then make the Exchange Admins group a member of each Exchange server's local Administrators group. That way, you can add or remove Exchange administrators from one single group, rather than having to set a user up as an administrator on each individual server.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
Do you have comments on this tip? Let us know.
Related information from SearchExchange.com: