The Active Directory domain user account really is the power position.
If you've performed a typical installation of Exchange Server 2003 or Exchange 2000, then at some point you will run into the problem of administering the Exchange organization.
That's because during a normal installation of Exchange Server 2003, the Active Directory domain user account that was used to perform the installation becomes the only account that has the required rights and permissions to completely administer the entire Exchange organization.
In a small organization with a single location and a few servers, this isn't a big problem -- until that administrator leaves the company. In larger organizations that have multiple, geographically dispersed locations and dozens or hundreds of servers, this is an issue. Fortunately, the Exchange Server team thought of this ahead of time and gave us the Exchange Administration Delegation Wizard.
To launch the Exchange Administration Delegation Wizard, simply right-click on either the Exchange root or a specific administrative group and select the Delegate control option. Follow the easy-to-understand on-screen dialog.
3 administrative levels
Within Exchange Server 2003, there are three levels of administrative responsibility that you can delegate to users or groups, although delegation to groups is by far the preferred method of delegation. These three levels are the following:
- Exchange full administrator. Users with this level of administrative control can administer the entire Exchange organization, including configuration and object permissions. Typically, only a small number of administrators will have complete control over the Exchange organization, perhaps one per geographical location and only for the servers located at their location.
- Exchange administrator. Users with this level of administrative control can administer the entire Exchange organization, including configuration, but cannot modify object permissions. Users with this level of administrative access can perform most all of the day-to-day tasks required to manage and maintain an Exchange organization.
- Exchange "view only" administrator. Users with this level of administrative control have read-only access to the configuration of the Exchange organization. A typical example of where this can be granted is for support personnel who need to monitor an Exchange organization, but who are not allowed to administer it. Also, to install Blackberry Enterprise Server into your Exchange organization, you will need to grant the BESAdmin account this level of administrative access.
2 levels of delegation
You can opt to delegate administrative responsibility at two distinct levels in an Exchange organization: at the root of the organization itself and at each individual administrative group. With this knowledge in hand, you can now see the usefulness that administrative groups can provide a larger organization.
Any delegation that is performed at the root of the organization is automatically inherited by each administrative group within that organization. Any user granted permissions on the root of the Exchange organization will have those permissions maintained through all administrative groups.
Delegations performed on a specific administrative group are limited in scope to only the objects contained within that administrative group. In this way, you can grant an administrator in each administrative group the Exchange "full administrator" role if desired, thus allowing them to completely administer the servers within their administrative group and no others.
You might also want to limit their administrative ability and only grant administrators who are responsible for administrative groups the Exchange administrator role instead, reserving the right to modify permissions for one or more administrators at that root of the Exchange organization.
I can think of several reasons why you must consider delegating administrative responsibility over your Exchange organization. Aside from the most obvious one that only the domain user account used to perform the initial installation is granted the Exchange Full Administrator role, consider the following:
- Easier auditing of individual administrator's actions
- Granular assignment of permissions based on role and need
- No sharing of administrative credentials
If you use the Exchange Administration Delegation Wizard, you can delegate administrative responsibility to your Exchange organization in an intelligent and useful manner.
Will Schmied, BSET, MCSE, MCSA, is a systems engineer for a Fortune 500 shipping and transportation company. As a freelance writer, he has written for Microsoft, Pearson, Sybex, Syngress, TechTarget, CNET, msexchange.org and several other organizations. Schmied has also worked with Microsoft in the MCSE exam-development process. You can visit his MCSE certification portal, www.mcseworld.com.