larger organizations it is rare for a single person to manage the entire Exchange organization. Typically there are multiple administrators, each of whom perform specific tasks. In Exchange Server 2007, Microsoft acknowledged this separation of duties by providing four separate administrative roles including:

Exchange Organization Administrators – This role allows for full administrative control over the entire Exchange organization.

Exchange Recipient Administrators – The Exchange Recipient Administrators role allows for the creation, modification, and removal of mailboxes and distribution groups.

Exchange View Only Administrators – This role is used primarily for training new Exchange administrators. It allows the administrator to view all of the information that can be displayed through the Exchange Management Console or the Exchange Management Shell, but does not allow changes to be made.

Exchange Server Administrators – Administrators who have been assigned this role can manage Exchange at the server level, but not at the organization level.

Although these roles were helpful in that they allowed separation of duties, they ultimately proved to be insufficient for many organizations because they did not allow for granular control of permissions. As such, Microsoft decided to use a new administrative permission model in Exchange Server 2010 called Role Based Access Control.

The primary administrative control used by Role Based Access Control is the Management Role Group. Management role groups are similar to the Exchange 2007 management roles discussed earlier in that you can assign an administrator to a management role group as a way of controlling what that administrator is able to do. Whereas Exchange 2007 only had four administrative roles however, Exchange Server 2010 includes eleven built in management role groups. The built-in management role groups include:

Delegated Setup – Members of this management role group are allowed to set up new Exchange Servers, but are not allowed to manage those servers.

Discovery Management – Administrators who have been assigned the Discovery Management role are allowed to perform E-discovery via multi-mailbox searches.

Help Desk – Members of the Help Desk role group are able to modify user attributes such as their address and phone number.

Hygiene Management – The Hygiene Management role group allows administrators to manage antivirus and anti-spam settings.

Organization Management – This role group provides full administrative control over the entire organization.

Public Folder Management – Membership in this role group gives administrators the ability to manage public folders.

Recipient Management – Members of the Recipient Management group can create and modify recipients.

Server Management – The Server Management group gives administrators the ability to manage individual Exchange Servers throughout the organization, but not to make organizational level configuration changes.

Records Management – The Records Management role group allows administrators to perform functions related to compliance. Members can manage things like transport rules and message classifications.

UM Management – This role group allows the administrator to manage unified messaging.

View-Only Organization Management – This role group is used for trainees. It allows them to view organization level configuration information, but they are not allowed to make any changes.

As you can see, management roles allow for much greater granularity of control than what was possible in Exchange Server 2007. However, it is also possible to create custom management role groups or to modify the built-in management role groups.

Administrators can access the role based access control settings through the Exchange Control Panel.  After logging into OWA choose All Options from the Options drop down list. On the following screen, choose the Manage My Organization option from the Options drop down in the upper left corner of the browser window. Finally, choose the Roles and Auditing tab. The resulting screen will display all of the management roles.

You can modify an existing management role by selecting the role and clicking the Details button. The resulting pop up window gives you the option of adding members or of changing the scope of the role.

You can also use this same screen to reconfigure what the management role actually does. Management role groups are made up of one or more individual roles. You can alter a management role group’s behavior by adding or removing roles. For example, help desk staff members may get the occasional call from users who are wondering why their messages were not delivered. Normally members of the Help Desk management role group would not be able to directly help such callers, but you can change this by adding the Message Tracking role to the Help Desk management role group.

Just as the existing role groups can be customized it is also possible to create your own management role groups. This is useful for situations in which you want for specific users to be able to perform certain tasks that they would not ordinarily be able to do, but without giving them full blown administrative access. For example, some organizations create a special role group that gives members the ability to create distribution lists.

As you can imagine, you can get really creative with role assignments. Even so, it is recommended to keep your use of management role groups as simple as you can. Otherwise, it can be difficult to determine who has the ability to do what.

Advertisements