Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-02-20
Microsoft Exchange Server 2007 provides the ability for Exchange administrators to delegate administrative and management responsibility for a server to an individual or group of individuals when it operates in a distributed operations management scenario. This topic explains how to delegate administrative and management responsibility for a server by using the Exchange Management Console or the Exchange Management Shell.
The Exchange Server Administrators delegated role has access to only local server Exchange configuration data, either in the Active Directory directory service or on the physical computer on which Exchange 2007 is installed. Users who are members of the Exchange Server Administrators role have permissions to administer a particular server, but do not have permissions to perform operations that have global effect in the Exchange organization.
In addition, Exchange Server Administrators can add and remove server roles to the Exchange server. However, they cannot remove the last server role from the server. Therefore, Exchange Server Administrators cannot uninstall an Exchange server.
When you delegate a user or group the Exchange Server Administrator role, that user or group is assigned permissions so that the user or group is owner of all local server configuration data. As owner, the server administrator has full control over the local server configuration data on the server object within the configuration partition.
The following access control entries are granted to the delegated account on the server object within the configuration partition:
- Full control on the server object and its children
- Deny access control entry for the Send As extended right
- Deny access control entry for the Receive As extended right
- Deny CreateChild and DeleteChild permissions for Exchange
Public Folder Store objects. Public folders are an organizational
responsibility and therefore the creation, deletion, or both of
public folder stores is restricted to Exchange Organization
The delegated account is added automatically to the target server’s local administrator group on the computer on which Microsoft Exchange is installed.
The delegated account is also added to the membership of the Exchange Organization View-Only Administrators security group.
You can delegate server administration by using the Exchange Management Console or the Exchange Management Shell.
|As explained earlier in this topic, the Exchange Server Administrator role is a delegated set of permissions that allows a user or group to administer a particular Exchange computer. Do not confuse the Exchange Server Administrator role with the Exchange Server security group in Active Directory. The Exchange Server security group contains the computer objects that are running Exchange in your organization.|
Before You Begin
To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007 see Permission Considerations.
To use the Exchange Management Console to delegate Server Administrator role to a user or group
In the Exchange Management Console, select Organization Configuration.
In the Action pane, select the Add Exchange Administrator link.
On the Add Exchange Administrator page, click Browse and select the user or group that you want to delegate control to, and then select Exchange Server Administrator role.
Under Select the server(s) to which this role has access, click Add, and then select the server to which you want to delegate control. Click OK. Click Add.
On the Completion page, click Finish.
To use the Exchange Management Shell to delegate the Server Administrator role to a user or group
Run the following command:
Add-ExchangeAdministrator -Identity "contoso.com/Users/KwekuA" -Role ServerAdmin -Scope server1.contoso.com
"contoso.com/Users/KwekuA"is the full path of the user or group that you want to delegate permission to and
server1.contoso.comis the fully qualified domain name (FQDN) of the server that you want to provision.
For detailed syntax and parameter information, see Add-ExchangeAdministrator.