Microsoft improved management functionality in Exchange 2010 SP1 with new tools and several helpful administrative features in the Exchange Control Panel, including role based access controls, mailbox auditing and mobile device management.
If you aren’t taking advantage of the new Exchange Control Panel (ECP) features in Exchange 2010 Service Pack 1 (SP1) yet, here are five important capabilities to get you started:
1. RBAC management. Role based access control (RBAC) is a major improvement in how permissions work in Exchange 2010. Until the SP1 release, most of this work had to be performed from the Exchange Management Shell (EMS) and many administrators resisted creating custom management role groups via PowerShell scripting because it's is an arduous process.
In Exchange 2010 SP1 you can create and administer management role groups right from the ECP. You can also create management roles and management role assignment policies and manage role groups from there as well.
Since the ECP is browser agnostic, you don’t have to use Internet Explorer. Open your favorite browser and use the same URL that you would use for OWA, but substitute ECP at the end of the URL, in place of OWA. For example, instead of using https://romac-ex5.romacsign.com/owa, I use https://romac-ex5.romacsign.com/ecp.
Once the page loads, navigate to Roles & Auditing then select Administrator Roles. Click New to create a custom management role group. As you can see in Figure 1, I've created a new role group called Super Help Desk. I've assigned Super Help Desk four roles that its members can perform: Mail Recipients, Mail Recipient Creation, User Options and View-Only Recipients. You can also view the members of the new role group and manage existing role groups from the ECP as well.
Figure 1. You can now easily create custom role groups and assign roles from the Exchange Control Panel.
2. Litigation hold. Another handy function that can be performed from the ECP in Exchange 2010 SP1 is the ability to enable and disable litigation hold. Navigate to Users & Groups, select a user then click the Details button. In the Mailbox Features section for the user, you can enable (or disable) litigation hold, as shown in Figure 2.
Figure 2. You can now enable or disable Litigation Hold from the Exchange Control Panel.
You can also find out which fellow admin placed a mailbox on litigation hold. To do so, navigate to Roles & Auditing, then to the Auditing tab. Select Run a litigation hold report to view who issued a litigation hold, as shown in Figure 3.
3. Mailbox auditing. There several new mailbox auditing capabilities in Exchange 2010 SP1 that are easily accessed from the ECP.
In addition to the Run a litigation hold report option, you can also:
- Run a non-owner mailbox access report.
- Run an administrator role group report.
- Export mailbox audit logs.
- Export the administrator audit log.
These capabilities significantly enhance an Exchange shop's ability to track who logs into mailboxes. It can also help find out which actions a user took while logged on. This helps if you want to track who is accessing mailboxes other than the mailboxes' owners, such as when you've delegated mailbox rights to another user.
Note: Remember that this functionality can be used to view administrators' access to mailboxes as well. The following actions are examples of what can be logged:
- Mailbox access
- If an item from one folder has been copied or moved to another mailbox
- If an item is created in a mailbox, such as when a message is received or sent
- Item deletion, whether it is a hard or soft delete
- The opening or reading of an item
- Who is using Send As or Send on Behalf.
The ECP greatly reduces the amount of administrative effort necessary to collect this data.
4. Mobile device management. There are a number of features in Exchange 2010 SP1 that help manage mobile devices from the ECP. In the section labeled Phone & Voice, you can see two tabs that pertain to mobile devices.
Navigate to the Device Access Rules section, then ActiveSync Access. Now select New to create a Device Access Rule. This essentially lets you create a rule for an entire device family or for a specific model. This rule is then rolled out to all users in your organization. For example, you can allow, block or quarantine a chosen device. As you can see in Figure 4, I've chosen to block the device family "iPhone."
You can also create and manage your Exchange ActiveSync policies from the ECP. In the Phone & Voice section, select Active Sync Device Policy and choose which options you would like the policy to control, as shown in Figure 5.
5. MailTips. Prior to Exchange 2010 SP1, MailTips could only be configured from the Exchange Management Shell and consequently, many organizations did not use them outside of the built-in MailTips. With MailTips included in the ECP of SP1, custom MailTips can now be quickly and accurately configured via a Web browser, as shown in Figure 6.
While you can create MailTips using ECP, creating custom MailTips via the EMS offers more functionality and control.
ABOUT THE AUTHOR
Richard Robb has been a respected technical trainer on Microsoft technologies for the past thirteen years. Rick has earned a number of technical certifications including Microsoft Certified Trainer (MCT), Microsoft Certified Systems Engineer (MCSE) on Windows Server 2003, 2000 and NT 4.0, Microsoft Certified Systems Administrator (MCSA) on Windows Server 2003 and 2000, Microsoft Certified Desktop Support Technician (MCDST), as well as Microsoft Certified IT Professional (MCITP) for Exchange 2010, Exchange 2007, as well as Windows Server 2008.
Rick has delivered Exchange Server 2010 classes to top Fortune 500 companies, leading colleges and universities, as well as many governmental agencies in the US and Canada.