Topic Last Modified: 2006-12-03
The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the number of users who have permissions as either Exchange Administrators or Exchange Full Administrators. The Exchange Server Analyzer counts the number of entries listed in the msExchAdmins attribute, which represents a link to all Exchange administrators within the organization together with the appropriate permissions. If the Exchange Server Analyzer finds there are more than 10 users with Exchange Administrator and/or Exchange Full Administrator permissions, a warning is displayed.
msExchAdmins is a multi-value attribute of the Exchange root organization container. It contains a list of security identifiers (SIDs) that represent the user accounts with delegated Exchange permissions.
It is a best practice to limit the number of users with write access to the Exchange organization. Consider reducing the number of Exchange Administrators and Exchange Full Administrators at the organization level. By reviewing administrative roles against the requirements of your messaging infrastructure, you may find that you can convert many of these users to Exchange View-only Administrators at the organizational level, while delegating to them the Exchange Administrator role at the Administration Group level.
To correct this warning
Consider decreasing the number of users that have Exchange Administrator and/or Exchange Full Administrator permissions.
Consider performing an audit of Exchange Server permissions in your organization to ensure that they are appropriate.
For more information about planning and configuring permissions in Exchange, see:
- "Working with Active Directory Permissions in
Exchange 2003" (http://go.microsoft.com/fwlink/?LinkId=47592).
- Microsoft Exchange Server 2007, Operations "Configuring
- Microsoft Exchange Server 2007, Planning and Architecture,
Planning Active Directory "Permission Considerations" (http://go.microsoft.com/fwlink/?LinkId=78433).
For more information about administrative roles in Exchange Server 2003, see the Microsoft Knowledge Base article 823018, "Overview of Exchange Administrative Role Permissions in Exchange 2003" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=823018).
For more information about administrative roles in Exchange 2000 Server, see the Knowledge Base article 289811, "XGEN: Exchange 2000 Role Permissions" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=289811).