• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Microsoft Exchange Articles
• Planning an Exchange Server 2003 Infrastructure
• Backing up the Exchange Server 2003 Environment
• Configuring and Maintaining Exchange Server 2003 Virtual Servers
• Configuring Exchange Server 2003 Administrative Permissions
• Creating and Managing Public Folders
• Disabling Services and Protocol Logging on Exchange 2003 Servers
• Exchange Server 2003 Data Storage and Management
• Exchange Server 2003 Maintenance and Management Activities
• Exchange Server 2003 Overview
• Exchange Server 2003 Virtual Servers
• Implementing Exchange Server 2003 Security to Secure Mailboxes
• Installing Exchange Server 2003
• Installing Exchange Server 2003 Clusters
• Managing Exchange Server 2003 Mailboxes
• Managing Exchange Server Connectivity across Firewalls
• Managing the Exchange of Business Documents
• Migrating from Exchange 2000 to Exchange Server 2003
• Migrating from Exchange 5.5 to Exchange Server 2003
• Monitoring Exchange Server 2003
• Protecting Exchange Server 2003 against Computer Viruses
• Restoring Exchange Server 2003
• Securing Exchange Server 2003 through Digital Signatures and Encryption
• Troubleshooting Exchange Server 2003
• Configuring and Managing SMTP transport
• Understanding Microsoft Outlook
• Understanding Outlook Web Access Client
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Configuring Exchange Server 2003 Administrative Permissions

Understanding Exchange Server 2003 Administrative Groups

With Exchange Server 2003, an administrative group is a collection of Exchange Server 2003 objects. Here, Exchange Server 2003 objects are grouped for the intent of delegating permissions and managing permissions.

An administrative group can be created to support different administrative models:

• Centralized
• Decentralized
• Mixed administrative model

The Exchange Server 2003 objects that can exist in an administrative group are listed here:

• System policy objects
• Server objects
• Public folder tree objects
• Routing group objects

When you install an Exchange Server 2003 organization, the new Exchange Server 2003 organization operates in Mixed Mode. This is the default configuration.

The main characteristics of Mixed Mode are listed here:

• Any Exchange 5.5 sites are mapped to Administrative Groups.
• Administrative Groups features are not supported when running in Mixed Mode.
• You cannot move Exchange mailboxes between Administrative Groups.
• Routing Groups contain only the server installed in the Administrative Group.

Exchange Server 2003 Native Mode has the characteristics listed here:

• You can move Exchange mailboxes between Administrative Groups.
• You can also move servers between Routing Groups.
• Routing Groups can contain servers from different Administrative Groups.
• The default enabled routing protocol is SMTP.

Exchange administrative permissions allow administrators to perform Exchange Server 2003 administrative tasks. You can delegate control over an Administrative Group through the Exchange Administration Delegation Wizard.

The different permissions which you can define to delegate control over an Administrative Group are:

• Exchange View Only Administrator; allows the viewing of Exchange objects but not the modification of Exchange objects.
• Exchange Full Administrator; enables the individual to fully administer Exchange system objects and Exchange permissions.
• Exchange Administrator; enables the individual to only fully administer Exchange system information.

To use the Exchange Administration Delegation Wizard, you need the Exchange Full Administrator permissions at the organization level.

How to enable viewing of administrative groups

1. Click Start, All Programs, Microsoft Exchange, and then select Exchange System Manager.
2. Right-click the Exchange organization and the select Properties from the shortcut menu.
3. When the Exchange organization Properties dialog box opens, select the Display Administrative Groups checkbox on the General tab.
4. Click OK.

How to create an administrative group

1. Open Exchange System Manager.
2. In the left pane, right-click Administrative Groups and select New and then Administrative Group from the shortcut menu.
3. Provide a name for the Administrative Group.
4. Click OK.
5. In the console tree, right-click the administrative group that you created and select New and then System Policy Container from the shortcut menu.
6. Expand the administrative group and check that the System Policies container was created.
7. In the console tree, right-click the System Policies container and select New and then Mailbox Store Policy from the shortcut menu.
8. The New Policy dialog box opens.
9. Proceed to enable each Property page and click OK.
10. Provide name for the new policy.
11. Configure the Properties box tabs.
12. Click OK.
13. Create a Public Store policy.
14. Create the Server policy

How to delegate control over an administrative group

1. Open the Exchange Systems Manager.
2. Navigate to the Administrative Group folder and expand it.
3. Select the administrative group that you want to delegate control of.
4. Click the Action menu and select the Delegate Control option.
5. The Exchange Administration Delegation Wizard initiates.
6. Click Next on the Welcome to the Exchange Administration Delegation Wizard screen.
7. Click Add.
8. The Delegate Control dialog box opens.
9. Click Browse
10. When the Select Users, Computers Or Groups dialog box opens, enter the name of the user and then click Check Names. Click OK.
11. In the Role box of the Delegate Control dialog box open, select the Exchange role which should be assigned. Click OK.
12. Click Next
13. Click Finish.
14. Click OK to the warning displayed in the Exchange System Manager dialog box.
15. Click Start, Administrative Tools and then click Active Directory Users And Computers.
16. When the Active Directory Users And Computers management console opens, expand the domain name and then select Users.
17. Right-click the user name that you previously specified and then select Properties on the shortcut menu.
18. When the User Properties dialog box opens, click the Member Of tab.
19. Click the Add button.
20. The Select Groups dialog box opens.
21. Enter the appropriate information and then click Check Names. Click OK.
22. Click OK in the User Properties dialog box.

How to configure advanced security permissions

1. Open the Registry Editor on the Exchange server.
2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Exchange registry key and expand Exchange.
3. Right-click EXAdmin and click New and then DWORD Value.
4. Set the New Value #1 to ShowSecurityPage. Press Enter.
5. Double-click ShowSecurityPage.
6. In the Edit DWORD Value dialog box enter 1 in the Value Data box and then click OK.
7. Close the Registry Editor on the Exchange server.
8. Click Start, Run and then enter mmc. Click OK.
9. Click the File menu item and then click Add/Remove Snap-In.
10. When the Add/Remove Snap-In dialog box opens, click the Add button.
11. The Add Standalone Snap-In dialog box opens.
12. Click ADSI Edit.
13. Click Add and click Close.
14. Click OK in the Add Standalone Snap-In dialog box.
15. Right-click ADSI Edit and then select Connect To on the shortcut menu.
16. The Connection Settings dialog box opens.
17. In the Select A Well Known Naming Context box, select Configuration.
18. Click OK.
19. Right-click CN=Administrative Groups and select Properties on the shortcut menu.
20. Click Add on the Security tab.
21. Enter the user name in the Select Users, Computers, Or Groups dialog box.
22. Click OK.
23. Click Advanced on the CN=Administrative Groups Properties dialog box.
24. The Advanced Security Settings For Administrative Groups dialog box opens.
25. In the Permission Entries list, select the user name and click Edit.
26. The Permission Entry For Administrative Groups dialog box opens.
27. Select the This Object And All Child Objects option in the Apply Onto drop-down list and then click OK.
28. On the Advanced Security Settings For Administrative Groups dialog box, uncheck the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects. Include These With All Entries Explicitly Defined Here checkbox.
29. Click OK.
30. Click OK in the CN=Administrative Groups Properties dialog box.

Bookmark Configuring Exchange Server 2003 Administrative Permissions

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum