Exchange Administration Delegation Wizard is a tool that simplifies delegating permissions to Exchange administrators. When you start Exchange Administration Delegation Wizard, it prompts for users and groups to which you want to apply the administrative permissions. You can delegate administrative permissions at the organization level in System Manager, or at an administrative group level. The scope of permissions you set is determined by the place from which you launch the wizard. If you launch the wizard from the organization level, the groups or users that you specify will have administrative permissions at the organizational level.
Exchange Administration Delegation Wizard simplifies assigning permissions and creating and maintaining access control lists. First, create a security group in Windows Active Directory Users and Computers Microsoft Management Console (MMC), provide a descriptive group name, for example, Finance Group, or Mailbox Administrators, and add the appropriate users to the group. Then, using Exchange Administration Delegation Wizard, assign permissions to the group, rather than assigning permissions to specific users. If you need to manage access to public folder trees, MDBs, address lists, protocols, or servers, first use the wizard to set your overall permissions, and then configure special permissions at the object level.
Administrative permissions include:
Note In order to be an Exchange Full Administrator or Exchange Administrator (who both have read/write access to objects) on an organization or administrative group, a user must be a local machine administrator for each Exchange Server he or she needs to manage. Exchange Administration Delegation Wizard does not make a user a local administrator, so you must do this manually. Being a local administrator enables the user to start and stop services, and to access the registry, the metabase, and the file system for different administrative operations. If remotely administering Exchange, the user must have administrative permissions on both the local machine and on the remote server being administered. Exchange View Only Administrators do not need to be local machine administrators. They simply need to be able to log on to the system locally (through a computer users group, or some other means) in order to open and view System Manager.
When you launch Exchange Administration Delegation Wizard from the organization level, different administrators have the following permissions on the specified objects:
Administrator | Object | Permissions | Do Permissions Apply to Subcontainers? |
---|---|---|---|
Full Administrator | Microsoft Exchange container | Full control | Yes |
Full Administrator | Organization |
The permissions you have to read or modify the object are inherited from the parent object. No permissions are explicitly set to "Allow".Send As and Receive As are explicitly set to "Deny" |
Yes |
Full Administrator | Deleted objects in configuration naming context | Read, Change | Yes |
Administrator | Microsoft Exchange Organization | All except Change permissions | Yes |
Administrator | Organization |
The permissions you have to read or modify the object are inherited from the parent object. No permissions are explicitly set to "Allow".Send As and Receive As are explicitly set to "Deny" |
Yes |
View Only Administrator | Microsoft Exchange container | Read, List object, List contents | Yes |
View Only Administrator | Organization | View information store status | Yes |
When you launch Exchange Administration Delegation Wizard from the administrative group level, different administrators have the following permissions on the specified objects:
Administrator | Object | Permissions | Do Permissions Apply to Subcontainers? |
---|---|---|---|
Full Administrator | Microsoft Exchange container | Read, List object, List contents | No |
Full Administrator | Organization | Read, List object, List contents | Yes |
Full Administrator | Administrative group container |
Full control |
Yes |
Full Administrator | Administrative group container |
The permissions you have to read or modify the object are inherited from the parent object. No permissions are explicitly set to "Allow".Send As and Receive As are explicitly set to "Deny" |
Yes |
Full Administrator | Connections container | All except Change permissions | Yes |
Full Administrator | Offline Address Lists | Write properties
This includes the ability to modify attributes on the object itself, but not to assign permissions to or assume ownership of the object. |
Yes |
Administrator | Microsoft Exchange container | Read, List object, List contents | No |
Administrator | Organization | Read, List object, List contents | Yes |
Administrator | Administrative group container |
The permissions you have to read or modify the object are inherited from the parent object. No permissions are explicitly set to "Allow".Change, Send As, and Receive As are explicitly set to "Deny" |
Yes |
Administrator | Offline Address Lists | Write | Yes |
Administrator | Administrative group container | All except Change permissions | Yes |
Administrator | Connections container | All except Change permissions | Yes |
View Only Administrator | Microsoft Exchange container | Read, List object, List contents | No |
View Only Administrator | Organization | Read, List object, List contents | No |
View Only Administrator | Administrative group container | Read, List object, List contents, View information store status | Yes |
View Only Administrator | Administrative group container | Read, List object, List contents | No |
View Only Administrator | Recipient Policies container | Read, List object, List contents | Yes |
View Only Administrator | Address Lists container | Read, List object, List contents | Yes |
View Only Administrator | Global Settings container | Read, List object, List contents | Yes |
View Only Administrator | System Policies container | Read, List object, List contents | Yes |
View Only Administrator | Addressing container | Read, List object, List contents | Yes |
Related Topics
Use Exchange Administration Delegation Wizard