Implementing Your Administrative Model


The Exchange Administration Delegation Wizard enables you to set permissions on organizations and administrative groups, and thus control access to all the Exchange objects contained within the organization or administrative group. You can also set permissions on some Exchange objects individually. These objects include public folder trees, address lists, and MDBs. For these objects, Exchange uses and extends Active Directory permissions. Examples of Active Directory permissions are Read, Write, and List contents. Examples of extended Exchange permissions are Create public folder and View Information Store status. When looking at an object's permissions, Active Directory permissions are listed first, followed by Exchange extended permissions.

Permissions in Exchange are inherited by default. This means that permissions you apply to an object are inherited by the objects it contains. For example, if you set permissions on an administrative group, by default those permissions are inherited by the routing groups the administrative group contains. Inherited permissions are convenient because you do not have to manually set the permissions for every object in your Exchange organization.

You should set permissions on Exchange objects only through Exchange System Manager. You should not set permissions on Exchange objects through Windows 2000 MMC snap-ins, such as the Active Directory Sites and Services or Active Directory Users and Computers snap-ins.

This section includes the following topics: