Manualshelf

Datasheet

ManualsBrandsWiley ManualsSoftware978-0-470-18146-1
11121314151617181920
Evaluating and Recommending Active Directory Configuration
13
Split permissions are especially useful when you are thinking of separating the following
tasks from each other:
User-related
Contact-related
Group or dynamic distribution list–related
Recipient management for some or all the aforementioned tasks
As details of the split-permissions model go far beyond the scope of this book and the scope
of the exam, I will present just the basic concept so you understand what needs to be done.
Basically the split-permissions concept of Exchange Server 2007 is based on the following
two tasks:
You assign the user or group the Exchange View-Only Administrators role.
You assign the user or group specific Exchange-related permissions on the Active Directory
objects (e.g., for all user objects of a specific organizational unit).
I call this concept “just the permissions needed,” so permission is granted only on specific
attributes. Using the Exchange Management Shell, you can use the Add-ADPermission com-
mand to delegate just the right permissions.
The split-permissions model goes into more depth than just delegating full
control over an organizational unit. It’s about managing only the Exchange-
related attributes. Thus, an administrator with split permissions can create a
mailbox for a user, but is not able to reset the password for that user. That is
the key difference!
Server Provisioning
Besides the administrative roles, Exchange Server 2007 also supports server provisioning, or
delegation of the ability to install servers. Exchange administrators now have the flexibility of
a setup command to create the necessary server object within the configuration partition and
to delegate the permissions required to install the rest of the server to a user account.
To provision a server you first must create a computer account for the new Exchange server
(if it does not yet exist). Then log on to an existing Exchange server in your organization using
an account that is a member of the Exchange Organization Administrators group. In your
Exchange binary folder you must use the following command:
Exsetup /NewProvisionedServer:<FQDN of server name> /
ServerAdmin:<domain\account>
Figure 1.2 shows an example of the server provisioning giving the user account ANDY the per-
mission to install the Exchange server EX99. Once the provision is finished, you can see the
provisioned server object in the EMC in Server Configuration. It appears with the server role
Provisioned.
81461.book Page 13 Wednesday, December 12, 2007 4:49 PM