Wednesday, 30 July 2014
7/30/2014 08:31:00 pm 0

Various Permission Considerations in Exchange while planning Active directory:

In my last article I have discussed how to manage storage groups in Exchange 2007.

While creating a new storage group, your exchange account must be delegated Exchange Server for local Administrators group and Administrator role. There are several other permission considerations for the target server, which I am going to discuss in this article.

Organization’s administrative model plays a very important roles while the organization is looking ahead to integrate Exchange 2007 into Active Directory service structure. The administrative model, roles, permissions, flexibility of permissions configuration and attributes etc all must be taken into consideration.

In Exchange 2007 you can assign the desired administrative roles and permissions. An exchange admin has been given the following capabilities:

•    He can work with Microsoft Windows Server 2003 as well as Exchange.

•    He can organize roles and split permissions between Exchange administrators and Windows administrators. The Windows and Exchange Server administrator roles can be isolated by Exchange resource forest.

The Exchange and Active Directory Split Permissions Model:

If there are multiple administrators in your organization then the Exchange Server Split Permissions Model comes into play. Using this, model specific permissions can be granted to various administrators  
The security model in Exchange 2007 is different from Exchange 2003.  They vary from each other in below aspects.
Property set:  It groups all the attributes of active directory. Access to this property set can be controlled by setting only one access control entry (ACE). You don’t require setting the property value for each property, just set it to the group.  E-mail information is the property set for grouping the Exchange recipient attributes together.

Exchange 2003 Security and Permissions Model:

Using the Exchange 2003 Administrative Delegation Wizard, the permissions and roles can be controlled at organization or the administrative group level. You can simply choose the predefined security roles and permissions from the Delegation Wizard. The delegation wizard offers the following predefined standardized roles: Exchange Full Administrator, Exchange Administrator and Exchange View Only Administrator.

Exchange 2007 Security and Permissions Model:

There were some flaws in the Security and Permissions Model in Exchange 2003.  For example:  the security and permissions cannot be managed at individual server-level n Exchange 2003. High level permissions must be given to the Exchange Admin if he requires performing Exchange recipient related tasks.
For a better management of security groups, some improvements have been done to the security model in exchange 2007:
•    New administrator roles have been added
•    You can easily view, add, and remove members from any administrator role using the Exchange Management Shell.

Administrator Roles in Exchange 2007:

Exchange 2007 security model contains various predefined groups such as: Exchange Organization Administrators, Exchange Recipient Administrators, Exchange View-Only Administrators and Exchange Public Folder Administrators. These roles make the user capable of managing Exchange configuration data (.i.e. Global Data, Recipient Data, Server Data).
While the organization-preparation phase in Exchange Setup, when /PrepareAD is run, these security roles are created the security group's organizational unit (OU) in the same domain. Whenever an administrator role is added then role permission will automatically het inherited by the user. 
These roles are capable of managing following three types of data:

    Global Data   It the data related to the whole organization and all users within the organization. The access permissions to the global data must be given to only trusted users otherwise a wrong change or data operation will be going to affect the whole organization. The global data also includes the user mailbox policies, address lists, and Exchange Unified Messaging configuration.
•    Recipient Data It contains the data related to the Exchange Recipients (i.e. the Active Directory user objects that can receive or send e-mail messages) such as: mailboxes, contacts, groups etc.
•    Server Data   The server data stores the information and metadata related to mailboxes, storage groups, connectors and virtual directories etc.

Exchange Organization Administrators Role:

This role is used to allow the permissions and roles to the administrators. Using this, he is provided compete access to the Exchange properties and objects.
The Exchange Organization Administrators role groups is created when Setup /PrepareAD is run during the Exchange setup. The member of this group can perform various tasks in the exchange organization, these tasks include: connectors creation & deletion, setting server policies and global configuration attributes.
When a user is added to the group, he is automatically given the following permissions:
•    He can access the Exchange organization data in the AD and the local Exchange server Administrator group data.
•    He has given the Read permissions to all domain user containers and Write access for all Exchange-specific attributes   in the AD.
•    He has full  access to the local server configuration data
Exchange Recipient Administrators Role:

The member with Exchange Recipient Administrators role can perform modifications to the AD objects and attributes and can manage all settings related to the Unified Messaging mailbox and Client Access mailbox. He can make changes to the AD users, dynamic distribution list or public folder object. But he cannot access the domain where Setup /PrepareDomain has not been run. So to grant Exchange administrator roles for any Exchange domain, the Setup /PrepareDomain must be run.
Permissions given to member of Exchange Recipient Administrators Role are:
•    He is given Read access to all the Domain User containers and  Write access to all the Exchange specific attributes in the AD
•    Membership in the Exchange View-Only Administrator role.
Exchange Server Administrators Role:

The member of Exchange Server Administrators role acts as administer a particular server and can only access the local server Exchange configuration data. They cannot access or modify the global data for the Exchange organization.
Following permissions are assigned to member of Exchange Server Administrators role:
•    He can perform operations on the local server configuration data.
•    He is provided all the Administrator rights on the local computer on which Exchange is installed.
He has permissions for Members of the Exchange View-Only Administrators role. i.e. he has read only access to the to the whole Exchange organization tree  in the AD and Windows domain containers.
Exchange Public Folder Administrators:

The Exchange Public Folder Administrators role is incorporated in Exchange 2007 Service Pack 1 (SP1)
A member of the Exchange Public Folder Administrators role has following permissions:
•    He has permissions to access the public folders. He can create and delete public folders.
•    He has proper permissions to manage or modify the public folder settings. With these rights he can easily manage the replicas, quota and age limits etc. He is also capable of managing the public folder administrative and client permissions.
•    A member of the Exchange Public Folder Administrators role has rights to mail-enable public folders. If he requires changing the mail recipient-related (such as proxy addresses) then he must be a member of the Exchange Recipient Administrators role.
Address Book Attributes:

There are many Exchange data attributes and other attributes related to the applications that are using exchange data. You need to create a separate property to carry these attributes as these cannot be stored in the Exchange-specific property sets. It’s not always mandatory for these attributes to be added to a property set.
These attributes are presented to end users through outlook GAL. If an administrator needs to modify these address book attributes then he must be a member of a domain privileged security group or must be given read/write permissions by the AD admin.
Examples of some common address book attributes are:
givenName, initials, sn, info, streetAddress etc which are applied to the’ User, Contact’ object.
telephoneAssistant attribute applies to ‘contact’ object.
managedBy and info attributes are applied to the ‘group’ object.

Read my upcoming article to know more about delegate permissions and Exchange administrative roles.


Post a Comment