Gerod Serafin's WebLog

Helping to keep large organizations' e-mail running

Part 1 - I used to do it this way… Now how do I do it? Administering Exchange 2003 vs. Exchange 2007

Part 1 - I used to do it this way… Now how do I do it? Administering Exchange 2003 vs. Exchange 2007

  • Comments 15
  • Likes

A while ago I ran across an article by Andrea Fowler on TechNet entitled: Then and Now: Comparing Management Tasks in Exchange Server 2003 and Exchange Server 2007.

This lead to me creating a presentation for my customer on this.  Normally a lot of the work that I have done for my customers ends up here on this blog.  I took a break from posting here because of the cool stuff that I wanted to post here was not public yet and required to much effort to decide what could and couldn’t be shared.  But this is all public information so lets get started…

Delegating Server Administration

In Exchange 2003, you used the Exchange Administration Delegation wizard to grant administrative permissions to a user or group.

The old way from the ESM (Exchange System Manager):
image

You had 3 options (Exchange Full Administrator, Exchange Administrator, and Exchange View Only Administrator):
image

 

Exchange 2007 provides the ability for Exchange administrators to delegate administrative and management responsibility for a server to an individual or group of individuals when it operates in a distributed operations management scenario.

You can do it from the EMC (Exchange Management Console):

image

Or you can do it from the EMS (Exchange Management Shell) using Add-ExchangeAdministrator

-Identity <SecurityPrincipalIdParameter>

-Role <OrgAdmin | RecipientAdmin | ServerAdmin | ViewOnlyAdmin | PublicFolderAdmin>

[-Scope <String>]

This example below gives the user with the alias JSnake the role of Exchange Server Administrator on the server TestHub01.image

 

Whoa…  5 choices for administrator roles?  Cool.  What do they mean?

Exchange Organization Administrators role have the highest level of permissions in the Exchange organization. All tasks that affect your whole Exchange organization will require membership in this group. Examples of tasks that require Exchange Organization Administrator permissions include creating or deleting connectors, changing server policies, and changing any global configuration settings.

Users who are members of the Exchange Recipient Administrators role will not have permissions to Domains where Setup /PrepareDomain has not been run. When you add a new Exchange domain, make sure that you run Setup /PrepareDomain in the new domain to grant permissions to the Exchange administrator roles in that domain.

The Exchange Server Administrators role has access to only local server Exchange configuration data, either in the Active Directory or on the physical computer on which Exchange 2007 is installed. Users who are members of the Exchange Server Administrators role have permissions to administer a particular server, but do not have permissions to perform operations that have global impact in the Exchange organization.

The Exchange View-Only Administrators role has read-only access to the whole Exchange organization tree in the Active Directory configuration container, and read-only access to all the Windows domain containers that have Exchange recipients.

The Exchange Public Folder Administrators role has administrative permissions to manage all the public folders. This administrator role is granted the "Create top level public folder" extended right. Members of this role can create and delete public folders, and manage public folder settings such as replicas, quotas, age limits, administrative permissions, and client permissions. This administrator role can mail-enable public folders, but it cannot modify mail recipient-related properties on public folders, such as proxy addresses. That capability requires membership in the Exchange Recipient Administrators role.

image

The table above tells you the different roles and the members of them as well as their permissions.

Next: Part 2 – Synchronizing Public Folder hierarchy replication in 2003 vs. 2007

Comments
  • To return to part 1 click here Synchronizing Public Folder hierarchy replication in 2003 vs. 2007 In

  • To return to part 1 click here Anti-spam tasks In Exchange 2003 we had many tools provided to help eliminate

  • To return to part 1 click here Stop or stop Public Folder replication in 2003 vs. 2007 In Part 2, we

  • To return to part 1 click here More Anti-spam tasks Now that we have looked at how to configure Attachment

  • To return to part 1 click here Message size restrictions In Exchange 2003, you would customize the message

  • To return to part 1 click here Setting Connector Limits in Exchange 2007 Below are the 5 different types

  • To return to part 1 click here Setting Recipient Policies in Exchange 2003 In Exchange 2003, the recipient

  • To return to part 1 click here Administrative Tasks - Address Lists In Exchange 2003, you created and

  • To return to part 1 click here Administrative Tasks – Mailbox Manager vs. Messaging Records Management

  • To return to part 1 click here Administrative Tasks – MBConn.exe and Offline Address Books MBConn.exe

  • To return to part 1 click here Administrative Tasks: Mailbox Permissions and Query-Based \&#160; Dynamic

  • To return to part 1 click here Transport Allowing anonymous relay To enable anonymous relay in Exchange

  • To return to part 1 click here Transport Disclaimer messages In Exchange 2003, you needed to create a

  • To return to part 1 click here Transport Outbound SMTP connections to other messaging servers In Exchange

  • To return to part 1 click here Transport POP3 and IMAP4 In Exchange 2003, POP3 and IMAP4 were both receive-only

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment