Microsoft KB Archive/261092

= XADM: Requirements to Set Security Permission Roles for Local Exchange Directory Objects =

Article ID: 261092

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Exchange Server 5.5 Standard Edition

-



This article was previously published under Q261092



SUMMARY
This article describes how enterprise administrators can set granular security permissions on Exchange Server directory objects to ensure that enterprise and local administrators have the appropriate security access in an organization.



MORE INFORMATION
By setting granular security, you can allow local administrators access to only the server-level directory objects and allow enterprise administrators full access to all of the directory objects in the organization.

In traditional configurations, you might configure an Exchange Administrator group that has the Permissions Admin role at the organization, site, and configuration levels. This group represents the enterprise administrators of the organization. However, this particular configuration does not provide any granular directory object access for the local administrators.

For example, if you have five enterprise administrators who are responsible for supporting the organization at a global level and you also have individual local administrators who are responsible for only their server's directory objects in a particular site, you need to ensure that the local administrators have directory object access to only the appropriate servers. To do so, you need to set appropriate permissions that the site and server directory objects inherit.

To set the appropriate permissions:
 * 1) At the server for which the local administrator or administrative group needs full access, open the properties of the server's directory object.
 * 2) Click the Permissions tab, and then add that user or group as Permissions Admin.

NOTE: Ensure that you click the appropriate directory object (for example, under the   container, the   container, and the Servers container, click the   object and just not the Servers container) before you perform step 2. If you select the Servers container in step 1 and then perform step 2, you grant the accounts Permissions Admin role to all of the servers in that site.
 * 1) Open the properties of the site-level directory object.
 * 2) Click the Permissions tab, and then add that user or group as Permissions Admin.

After you perform these steps, the local administrator or administrative group has access to not only the site folders, but also to their server properties. Additionally, the local administrator or administrative group cannot gain access to other server objects in the site. Enterprise administrators should already be established with organization-level, site-level, and server-level Permissions Admin roles.

When you establish the preceding permissions, note that enterprise administrators have full access to change the properties attributes of all system folders. However, you can configure more granular permissions with this approach, depending on your particular needs.

As with any security implementation, if you change your environment settings, you may impact more then one area. You need to plan and test when you apply permission changes for your organization.

Additional query words: xmrp

Keywords: kbhowto KB261092

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.