XGEN: Exchange 2000 Role Permissions

This article describes how to use the Exchange 2000 Administration Delegation Wizard to configure permissions in Active Directory.

The Exchange 2000 Administration Delegation Wizard provides a friendly interface which enables you to configure permissions to the Exchange Server objects in Active Directory. If you are an organization administrator, you can use the wizard to get more information about the exact changes that the Exchange 2000 Administration Delegation Wizard makes to the Active Directory.

To use Exchange 2000 Administration Delegation Wizard:

1. On the Start menu, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Right-click the organization or administrative group for which you want to delegate administrative permissions, and then click Delegate control.
3. When the Exchange Administration Delegation Wizard starts, click Next.
4. Click Users or Groups, and then click Add to grant a new user or group administrative permissions.
5. In the Delegate Control dialog box, click Browse, and then browse to a group or user from the list that is displayed.
   
   When you enter the appropriate location in the Look in box, you can view the list of users and groups from Active Directory, or you can view only a list for a particular domain. You can also type the name of the user or group in the Name box; however, you must type one name at a time.
6. After you have entered a user or group, in the Delegate Control dialog box, in the Role section, click one of the following types of administrative permissions that you want to give to the group or user:
   • Exchange Full Administrator
   • Exchange Administrator
   • Exchange View Only Administrator
   NOTE: To change the role of an existing user or group, click the user or group, click Edit, and then choose the new role. To remove a user or group, click the user or group, and then click Remove.
   
   
7. To assign the permissions, click Next, and then click Finish.

Exchange Full Administrator

When you assign a user or group Exchange Full Administrator permissions, the user and group can fully administer Exchange Server computer information and modify permissions. A user who has Exchange Full Administrator permissions has the following rights:

• Organization Rights:
  • Full Control permissions on the MsExchConfiguration container (this object and its sub-containers).
  • Deny Receive-As, and Send-As permissions on the Organization container (this object and its sub-containers).
  • Read, and Change permissions on the Deleted Objects container in the Configuration naming context (Config NC) (this object and its sub-containers.
• Administrative Group Rights:
  • Read, List object, List contents permissions on MsExchConfiguration container (this object only).
  • Read, List object, List contents permissions on the Organization container (this object and its sub-containers).
  • Full Control, Deny Send-As, Deny Receive-As on the Administrator Groups container (this object and its sub-containers).
  • Full Control except Change permissions on the Connections container (this object and its sub-containers).
  • Read, List object, List contents, Write properties permissions on the Offline Address Lists container (this object and its sub-containers).

Exchange Administrator

When you give a user or group Exchange Administrator permissions, the user and group can fully administer Exchange Server computer information. A user who has Exchange Administrator permissions has the following rights:

• Organization Rights:
  • All permissions except Change permissions on the MsExchConfiguration container (this object and its sub-containers).
  • Deny Receive-As, and Send-As permissions on the Organization container (this object and its sub-containers).
• Administrative Group Rights:
  • Read, List object, List contents permissions on the MsExchConfiguration container (this object only).
  • Read, List object, List contents permissions on the Organization container (this object and its sub-containers).
  • All permissions except for Change permissions, Deny Send-As, Deny Receive-As permissions on the Administrator Group container (this object and its sub-containers).
  • All permissions except Change permissions on the Connections container (this object and its sub-containers).
  • Read, List object, List contents, Write properties permissions on the Offline Address Lists container (this object and its sub-containers).

Exchange View Only Administrator

When you give a user or group Exchange View Only Administrator permissions, the user or group can view Exchange Server configuration information. A user who has Exchange View Only Administrator permissions has the following rights:

• Organization Rights:
  • Read, List object, List contents permissions on the MsExchConfiguration container (this object and its sub-containers).
  • View Information Store Status permissions on the Organization container (this object and its sub-containers).
• Administrative Group Rights:
  • Read, List object, List contents permissions on the MsExchConfiguration container (this object only).
  • Read, List object, List contents permissions on the Organization container (this object only).
  • Read, List object, List contents permissions on the Administrator Groups container (this object only).
  • Read, List object, List contents, View Information Store Status permissions on the Administrator Groups container (this object and its sub-containers).
  • Read, List object, List contents permissions on the MsExchRecipientsPolicy container, the Address Lists container, Addressing, Global Settings, System Policies (this object and its sub-containers).