Recommendations for using Exchange system management features through a Web interface that uses CDO for Exchange Management

This article contains recommendations for using Exchange system management features through a Web interface that uses CDOEXM.

To use Exchange system management features through a Web interface, use one of the following methods:

• A Web service that is running on Microsoft Internet Information Services (IIS) may use the credentials of a user for impersonation. Therefore, the user can access and modify the data that is in the Active Directory database and in Exchange servers.
• A Web service may be running on IIS as a computer account or as a user account. This computer account or user account has permissions to access and to modify the data that is in the Active Directory database and in Exchange servers.
  
  For this method, the Web service must perform some level of authorization to make sure that the user request from the Web interface is allowed. This authorization check can be completed in one of the following ways:
  • To verify that the user has Exchange Admin permissions, the Web service can use Windows APIs to compare the rights of the user and one of the following user rights:
    • The rights that the user must have on the Exchange organization container.
    • The rights that the user must have on a subset of the Exchange organization container.
    The custom scenarios define the user rights that the Web service compares.
    
    This option typically applies to scenarios in which the user who is connecting to the Web service must be a member of the Exchange Admins group.
  • If the user does not have Exchange Admin permissions but the user still must be able to submit some Web requests, the Web service must examine the user against the authorization scheme of the Web service. For example, the Web service can determine whether the user is a member of a certain security group.
    
    This option typically applies to scenarios in which the user does not necessarily have permissions. However, the user still must perform some operations. For example, a user who does not have permission to change the Active Directory user object may want to reset the office number.

Recommendations

We recommend that you use the Web service that is running as a computer account or as a user account. This Web service should have permissions to access and to modify the data that is in the Active Directory database and in Exchange servers.

Note Impersonation in CDOEXM does not work in all scenarios. Therefore, we do not recommend or support impersonation in CDOEXM as a general solution.

We recommend that you put the CDOEXM code in a Microsoft COM+ component. Make sure that the CDOEXM component in Component Services is running under a set of credentials that has sufficient permission to access and to modify the data that is in the Active Directory database and in Exchange servers. Add a reference to the COM+ component in a Web page.

For authorization, we recommend that the Web service always check user credentials to determine whether the user has permissions to access and to modify the data that is in the Active Directory database and in Exchange servers. You can enable lower-privileged users to call functions that are typically reserved for members in the Exchange Admins group. However, we recommend that you grant those users explicit permissions or restrict the administration functions that available to the users. Do not generically make available the whole Exchange Management surface area. For example, you may only make available the "Change Username" permission for lower-privileged users.