Understanding Exchange Server 2003 Administrative Groups

With Exchange Server 2003, an administrative group is a collection of Exchange Server 2003 objects. Here, Exchange Server 2003 objects are grouped for the intent of delegating permissions and managing permissions.

An administrative group can be created to support different administrative models:

  • Centralized.
  • Decentralized.
  • Mixed administrative model.

The Exchange Server 2003 objects that can exist in an administrative group are listed here:

  • System policy objects.
  • Server objects.
  • Public folder tree objects.
  • Routing group objects.

When you install an Exchange Server 2003 organization, the new Exchange Server 2003 organization operates in Mixed Mode. This is the default configuration.

The main characteristics of Mixed Mode are listed here:

  • Any Exchange 5.5 sites are mapped to Administrative Groups.
  • Administrative Groups features are not supported when running in Mixed Mode.
  • You cannot move Exchange mailboxes between Administrative Groups.
  • Routing Groups contain only the server installed in the Administrative Group.

Exchange Server 2003 Native Mode has the characteristics listed here:Configuring Exchange Server 2003 Administrative Permissions

  • You can move Exchange mailboxes between Administrative Groups.
  • You can also move servers between Routing Groups.
  • Routing Groups can contain servers from different Administrative Groups.
  • The default enabled routing protocol is SMTP.

Exchange administrative permissions allow administrators to perform Exchange Server 2003 administrative tasks. You can delegate control over an Administrative Group through the Exchange Administration Delegation Wizard.

The different permissions which you can define to delegate control over an Administrative Group are:

  • Exchange View Only Administrator; allows the viewing of Exchange objects but not the modification of Exchange objects.
  • Exchange Full Administrator; enables the individual to fully administer Exchange system objects and Exchange permissions.
  • Exchange Administrator; enables the individual to only fully administer Exchange system information.

To use the Exchange Administration Delegation Wizard, you need the Exchange Full Administrator permissions at the organization level.

How to enable viewing of administrative groups

  1. Click Start, All Programs, Microsoft Exchange, and then select Exchange System Manager.
  2. Right-click the Exchange organization and the select Properties from the shortcut menu.
  3. When the Exchange organization Properties dialog box opens, select the Display Administrative Groups checkbox on the General tab.
  4. Click OK.

How to create an administrative group

  1. Open Exchange System Manager.
  2. In the left panel, right-click Administrative Groups and select New and then Administrative Group from the shortcut menu.
  3. Provide a name for the Administrative Group.
  4. Click OK.
  5. In the console tree, right-click the administrative group that you created and select New and then System Policy Container from the shortcut menu.
  6. Expand the administrative group and check that the System Policies container was created.
  7. In the console tree, right-click the System Policies container and select New and then Mailbox Store Policy from the shortcut menu.
  8. The New Policy dialog box opens.
  9. Proceed to enable each Property page and click OK.
  10. Provide name for the new policy.
  11. Configure the Properties box tabs.
  12. Click OK.
  13. Create a Public Store policy.
  14. Create the Server policy.

How to delegate control over an administrative group

  1. Open the Exchange Systems Manager.
  2. Navigate to the Administrative Group folder and expand it.
  3. Select the administrative group that you want to delegate control of.
  4. Click the Action menu and select the Delegate Control option.
  5. The Exchange Administration Delegation Wizard initiates.
  6. Click Next on the Welcome to the Exchange Administration Delegation Wizard screen.
  7. Click Add.
  8. The Delegate Control dialog box opens.
  9. Click Browse.
  10. When the Select Users, Computers Or Groups dialog box opens, enter the name of the user and then click Check Names. Click OK.
  11. In the Role box of the Delegate Control dialog box open, select the Exchange role which should be assigned. Click OK.
  12. Click Next
  13. Click Finish.
  14. Click OK to the warning displayed in the Exchange System Manager dialog box.
  15. Click Start, Administrative Tools and then click Active Directory Users And Computers.
  16. When the Active Directory Users And Computers management console opens, expand the domain name and then select Users.
  17. Right-click the user name that you previously specified and then select Properties on the shortcut menu.
  18. When the User Properties dialog box opens, click the Member Of tab.
  19. Click the Add button.
  20. The Select Groups dialog box opens.
  21. Enter the appropriate information and then click Check Names. Click OK.
  22. Click OK in the User Properties dialog box.

How to configure advanced security permissions

  1. Open the Registry Editor on the Exchange server.
  2. Navigate to the HKEY_CURRENT_USERSoftwareMicrosoftExchange registry key and expand Exchange.
  3. Right-click EXAdmin and click New and then DWORD Value.
  4. Set the New Value #1 to ShowSecurityPage. Press Enter.
  5. Double-click ShowSecurityPage.
  6. In the Edit DWORD Value dialog box enter 1 in the Value Data box and then click OK.
  7. Close the Registry Editor on the Exchange server.
  8. Click Start, Run and then enter mmc. Click OK.
  9. Click the File menu item and then click Add/Remove Snap-In.
  10. When the Add/Remove Snap-In dialog box opens, click the Add button.
  11. The Add Standalone Snap-In dialog box opens.
  12. Click ADSI Edit.
  13. Click Add and click Close.
  14. Click OK in the Add Standalone Snap-In dialog box.
  15. Right-click ADSI Edit and then select Connect To on the shortcut menu.
  16. The Connection Settings dialog box opens.
  17. In the Select A Well Known Naming Context box, select Configuration.
  18. Click OK.
  19. Right-click CN=Administrative Groups and select Properties on the shortcut menu.
  20. Click Add on the Security tab.
  21. Enter the user name in the Select Users, Computers, Or Groups dialog box.
  22. Click OK.
  23. Click Advanced on the CN=Administrative Groups Properties dialog box.
  24. The Advanced Security Settings For Administrative Groups dialog box opens.
  25. In the Permission Entries list, select the user name and click Edit.
  26. The Permission Entry For Administrative Groups dialog box opens.
  27. Select the This Object And All Child Objects option in the Apply Onto drop-down list and then click OK.
  28. On the Advanced Security Settings For Administrative Groups dialog box, uncheck the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects. Include These With All Entries Explicitly Defined Here checkbox.
  29. Click OK.
  30. Click OK in the CN=Administrative Groups Properties dialog box.