To
begin with, open the Exchange Management Console and select the
Organization Configuration work center. Notice in the Results pane that
there is only one tab—Exchange Administrators. In that tab are five
default objects, some of which are based upon Exchange Security Groups
that are automatically created when you install Exchange. You can see
these groups from within the Active Directory Users and Computers
console: Exchange Organization Administrators
Exchange Public Folder Administrators
Exchange Recipient Administrators
Exchange Servers
Exchange View-Only Administrators
ExchangeLegacyInterop
With
the exception of the ExchangeLegacyInterop group, which is designed for
inter-operability with Exchange 2003 servers within the same forest,
the other security groups directly relate to the roles that you can
assign from within the Exchange Management Console.
The roles you can assign include the capabilities shown in Table 1.
Table 1. Roles You Can Assign in Exchange Management Console
Role | Permissions |
---|
Exchange Organization Administrator | This
is the highest role you can assign and gives an individual the
capability to configure and control all organization-wide settings,
including the capability to handle Edge servers, Unified Messaging (UM)
settings, Recipient objects, and so on. |
Exchange Public Folder Administrator | Gives
a person the capability to create and manage top-level folder objects,
use the Public Folder Management Console, and run Exchange Management
Shell (EMS) commands relating to Public Folders. |
Exchange Recipient Administrator | Gives
a person the capability to create and manage recipient objects such as
users, contacts, distribution groups, dynamic distribution groups, and
Public Folders. |
Exchange View-Only Administrator | Enables
a person to view items in the Exchange organization tree. Although it
might seem like a basic set of permissions, other roles require these
permissions to fulfill their requirements. |
Exchange Server Administrator | Enables
this person to handle server-related tasks such as storage group and
database control, Client Access Server (CAS) settings, Hub Transport
(HT), and UM settings. Note: The person must also be a member of the
local Administrators group to grant these permissions. |
To assign an administrative role to a user or group, perform the following steps:
1. | Open the Exchange Management Console (EMC).
|
2. | From the Navigation Tree, expand the Organization Configuration work center.
|
3. | From the Actions pane, select Add Exchange Administrator.
|
4. | The
Add Exchange Administrator Wizard displays and the first screen has you
select a user or group and choose a role and scope for the Exchange
administrator (as you can see in Figure 1).
|
5. | Select
the server(s) that the role has access to by selecting the Add option
and choosing those servers you want the person or group to be able to
control.
|
6. | |
7. | After
the wizard is complete, you are taken to the Completion screen where a
green checkmark and Completed affirmation is given and you can click
Finish.
|
To
remove any of the Exchange Administrators, you simply select the user
or group from the Results pane and select Remove from the Actions pane.
PS Note
The cmdlet through the EMS used to create an Exchange Administrator is Add-ExchangeAdministrator
-Identity "Name of Person or Group" -Role (OrgAdmin, PublicFolderAdmin,
RecipientAdmin, ServerAdmin, or ViewOnlyAdmin) -Scope "Server Names". To view all Exchange Administrators, type Get-ExchangeAdministrator.