Manualshelf

Datasheet

ManualsBrandsWiley ManualsSoftware978-0-470-18146-1
11121314151617181920
12
Chapter 1
Designing and Planning Messaging Services
Exchange View-Only Administrators
As an Exchange View-Only Administrator you will receive read-only access to the Exchange
organization and to all Windows domains that contain Exchange recipients. You can assign
this role to people that want to look at the Exchange configuration (for example, to see con-
nector settings) but that don’t perform changes.
You receive the following permissions when you’re part of this role:
Read permission to the Exchange organization tree in the configuration partition of
Active Directory
Read access to all domains that have been prepared for Exchange
Exchange Server Administrators
The Exchange Server Administrators role was designed to delegate access for one or more servers
to either a security group or a user. Exchange Server Administrators can administer one or more
particular Exchange server(s), but they cannot change anything of global impact to the Exchange
organization. For example, they can manage storage groups or databases on their server(s), but
they cannot move mailboxes to a server they don’t have permission on.
This is the only administrative role whose scope can be set on one or more
Exchange servers. All other roles are organization-wide!
You receive the following permissions when you’re part of this role:
Owner permissions on server object(s) within the configuration partition
Local Administrator on the Exchange server(s)
Membership to Exchange View-Only Administrators thus you can view the complete
Exchange configuration
You can delegate this role to users and global or universal security groups,
but not to domain local groups.
The Split-Permissions Model
Some organizations, especially the more complex and geographically widely dispersed, may face
the problem of the standard Exchange administrative roles not fitting in their security system.
For example, suppose an administrator of a location in Germany needs to manage his mail-
boxes. Being part of the Exchange Recipient Administrators group grants him full permissions
on all user objects in all domains, whereas he manages only a single OU in one domain of a com-
plex forest. In this case, a more granular split-permissions model needs to be implemented to
address this incongruity.
81461.book Page 12 Wednesday, December 12, 2007 4:49 PM