Microsoft KB Archive/823018

= Overview of Exchange administrative role permissions in Exchange 2003 =

Article ID: 823018

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-





For a Microsoft Exchange 2000 Server version of this article, see 289811.



SUMMARY
This article contains information about Exchange administrative role permissions and describes how to use Exchange Administration Delegation Wizard in Exchange Server 2003 to configure administrative role permissions in Microsoft Active Directory directory service.

Exchange Administration Delegation Wizard provides an interface that you can use to configure administrative permissions for Exchange Server objects in Active Directory. You can use Exchange Administration Delegation Wizard to delegate administrative permissions at the organization level or at the administrative group level. The scope of permissions that you set is determined by the location where you start the wizard. If you start the wizard at the organization level, the groups or the users who you specify have administrative permissions at the organizational level. If you start the wizard at the administrative group level, the groups or the users who you specify have administrative permissions at the administrative group level.

To Use Exchange Administration Delegation Wizard
To use Exchange Administration Delegation Wizard to grant administrative permissions to a user or a group:  Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager. Right-click the organization or the administrative group where you want to delegate administrative permissions, and then click Delegate control. Exchange Administration Delegation Wizard starts. Click Next. On the Users or Groups page, click Add. In the Delegate Control dialog box, click Browse. In the Select Users, Computers, or Group dialog box, click the appropriate location in the Look in box, click the name of the user or the group that you want to add, and then click OK.

Note When you click the appropriate location in the Look in box, you can view the list of users and of groups from Active Directory, or you can view only a list for a particular domain. Under Role in the Delegate Control dialog box, click one of the following types of administrative permissions to assign to the user or the group that you added, and then click OK: <ul> Exchange Full Administrator</li> Exchange Administrator</li> Exchange View Only Administrator</li></ul>

The user or the group that you added appears in the Users and groups list.</li> To edit an existing user or an existing group that is in the Users and groups list: <ol style="list-style-type: lower-alpha;"> Click the user or group, and then click Edit.</li> Under Role, click the option that you want, and then click OK.</li></ol> </li> To remove an existing user or an existing group from the Users and groups list, click the user or the group, and then click Remove.</li> Click Next, and then click Finish.</li></ol>

Overview of Exchange Administrative Permissions
The following section contains more information about the permissions that are included in the following Exchange administrative roles:
 * Exchange Full Administrator
 * Exchange Administrator
 * Exchange View Only Administrator

Exchange Full Administrator
When you assign a user or a group Exchange Full Administrator permissions, the user or the group can fully administer Exchange Server computer information and modify permissions. A user who has Exchange Full Administrator permissions has the following rights:
 * Organization Rights:
 * Full Control permissions on the MsExchConfiguration container (this object and its subcontainers).
 * Deny Receive-As permissions and Send-As permissions on the Organization container (this object and its subcontainers).
 * Read permissions and Change permissions on the Deleted Objects container in the Configuration naming context (Config NC) (this object and its subcontainers).
 * Administrative Group Rights:
 * Read, List object, and List contents permissions on the MsExchConfiguration container (this object only).
 * Read, List object, and List contents permissions on the Organization container (this object and its subcontainers).
 * Full Control, Deny Send-As, and Deny Receive-As permissions on the Administrator Groups container (this object and its subcontainers).
 * Full Control permissions (except for Change) on the Connections container (this object and its sub-containers).
 * Read, List object, List contents, and Write properties permissions on the Offline Address Lists container (this object and its subcontainers).

Note In Exchange 2000 Server, administrators must be assigned the Exchange Full Administrator administrative role at the organization level to install and to remove Exchange 2000 Server, to upgrade servers, and to perform failure recovery on servers. This requirement is changed in Exchange Server 2003 to allow administrators who are assigned the Exchange Full Administrator administrative role at the administrative group level to install and to remove Exchange Server 2003, to upgrade servers, and to perform failure recovery on servers that are in that administrative group.

The following considerations apply when you install Exchange Server 2003 as an administrator who has Exchange Full Administrator permissions:
 * A domain administrator must manually add the computer account of the server to the Exchange Domain Servers group.
 * An administrator who has Exchange Full Administrator permissions at the organization level must perform the first installation of Exchange Server 2003 on a server that is in an organization.
 * An administrator who has Exchange Full Administrator permissions at the organization level must perform the first installation of Exchange Server 2003 in an Active Directory directory service domain.
 * An administrator who has Exchange Full Administrator permissions at the organization level must perform the first installation of Exchange Server 2003 on a server that is in an administrative group.
 * Only an administrator who has Exchange Full Administrator permissions at the organization level can upgrade Exchange 2000 Server servers that are configured as bridgeheads for directory replication connectors to Exchange Server 2003.
 * Only an administrator who has Exchange Full Administrator permissions at the organization level can install or remove Exchange Server 2003 on servers where Site Replication Services (SRS) is installed.

If you are an administrator who has Exchange Full Administrator permissions in the administrative group, and you run Exchange Server 2003 Setup on a server that is not clustered, only the administrative groups that you have permissions to access appear. However, on a clustered server, Exchange Server 2003 Setup displays all administrative groups. If you select an administrative group that you do not have permission to access, you receive an &quot;Access Denied&quot; error message.

<div class="summary_section">

Exchange Administrator
When you assign a user or a group Exchange Administrator permissions, the user or the group can fully administer Exchange Server computer information. A user who has Exchange Administrator permissions has the following rights:
 * Organization Rights:
 * All permissions (except for Change permissions) on the MsExchConfiguration container (this object and its subcontainers).
 * Deny Receive-As permissions and Send-As permissions on the Organization container (this object and its subcontainers).
 * Administrative Group Rights:
 * Read, List object, and List contents permissions on the MsExchConfiguration container (this object only).
 * Read, List object, and List contents permissions on the Organization container (this object and its subcontainers).
 * All permissions (except for Change, Deny Send-As, and Deny Receive-As permissions) on the Administrator Group container (this object and its sub-containers).
 * All permissions (except for Change permissions) on the Connections container (this object and its subcontainers).
 * Read, List object, List contents, and Write properties permissions on the Offline Address Lists container (this object and its subcontainers).

Exchange View Only Administrator
When you assign a user or a group Exchange View Only Administrator permissions, the user or the group can view Exchange Server configuration information. A user who has Exchange View Only Administrator permissions has the following rights:
 * Organization Rights:
 * Read, List object, and List contents permissions on the MsExchConfiguration container (this object and its sub-containers).
 * View Information Store Status permissions on the Organization container (this object and its sub-containers).
 * Administrative Group Rights:
 * Read, List object, and List contents permissions on the MsExchConfiguration container (this object only).
 * Read, List object, and List contents permissions on the Organization container (this object only).
 * Read, List object, and List contents permissions on the Administrator Groups container (this object only).
 * Read, List object, List contents, and View Information Store Status permissions on the Administrator Groups container (this object and its sub-containers).
 * Read, List object, and List contents permissions on the MsExchRecipientsPolicy container, the Address Lists container, Addressing, Global Settings, System Policies (this object and its sub-containers).

<div class="references_section">