Tài liệu Module 3: Administering Microsoft Exchange 2000 pptx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.53 MB, 66 trang )
Contents
Overview 1
Overview of the Administrative Utilities 2
Introduction to Exchange System Manager 4
Managing Administrative Security 9
Lab A: Creating a Mail-enabled User
Account 21
Creating and Configuring Administrative
Groups 27
Lab B: Setting Security on Administrative
Groups 33
Using Exchange 2000 System Policies 39
Administering Exchange 2000 Address
Lists 43
Lab C: Managing an Address List in
Exchange 2000 53
Review 59
Module 3: Administering
Microsoft Exchange
2000
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2000 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, BackOffice, Jscript, NetMeeting, Outlook, Windows, and Windows
NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or
other countries.
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Program Manager: Steve Thues
Product Manager: Megan Camp
Instructional Designers: Bill Higgins (Volt Technical), Jennifer Morrison, Priya Santhanam
(NIIT (USA) Inc), Samantha Smith, Alan Smithee
Instructional Software Design Engineers: Scott Serna
Subject Matter Experts: Krista Anders, Megan Camp, Chris Gould (Global Logic Ltd),
Janice Howd, Elizabeth Molony, Steve Schwartz (Implement.Com), Bill Wade (Wadeware LLC)
Technical Contributors: Karim Batthish, Paul Bowden, Kevin Kaufman, Barry Steinglass,
Jeff Wilkes
Graphic Artist: Kimberly Jackson (Independent Contractor)
Editing Manager: Lynette Skinner
Editor: Kelly Baker
Production Manager: Miracle Davis
Build Manager: Julie Challenger
Production Support: Marlene Lambert (Online Training Solutions, Inc)
Test Manager: Eric Myers
Courseware Testing: Robertson Lee (Volt)
Creative Director, Media/Sim Services: David Mahlmann
Web Development Lead: Lisa Pease
CD Build Specialist: Julie Challenger
Localization Manager: Rick Terek
Operations Coordinator: John Williams
Manufacturing Support: Laura King; Kathy Hershey
Lead Product Manager, Release Management: Bo Galford
Lead Product Manager, Messaging: Dave Phillips
Group Manager, Courseware Infrastructure: David Bramble
Group Product Manager, Content Development: Dean Murray
General Manager: Robert Stewart
Module 3: Administering Microsoft Exchange 2000 iii
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Instructor Notes
This module provides students with the information necessary to assign
administrative roles to users and groups, grant and delegate permissions to
administrators, use administrative groups to manage administrative
permissions, and create system policies to manage Microsoft
®
Exchange 2000
objects.
After completing this module, students will be able to:
!
Describe the utilities that you can use to modify the Active Directory™
directory service.
!
Describe the main components of Exchange System Manager that are used
to administer Exchange 2000.
!
Manage administrative security by granting permissions, overriding
inherited permissions, and delegating permissions.
!
Create administrative groups and configure administrative groups to secure
an Exchange organization.
!
Create and apply system policies and secure system policy creation.
!
Create, configure, and update address lists in Exchange 2000.
Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the following materials:
!
Microsoft PowerPoint
®
file 1572A_03.ppt
Preparation Tasks
To prepare for this module, you should:
!
Read all the materials for this module.
!
Complete the labs.
Presentation:
75 Minutes
Lab:
55 Minutes
iv Module 3: Administering Microsoft Exchange 2000
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Module Strategy
Use the following strategy to present this module:
!
Introduction to the Administrative Utilities
In this topic, describe the four utilities that you can use to grant permissions,
assign roles, and create system policies. Inform the students that Exchange
System Manager is the utility used for most administration tasks.
!
Introduction to Exchange System Manager
In this topic, explain the properties of the Organization object in Exchange
System Manager. Also, list and explain the top-level containers located
under the Organization object in Exchange System Manager.
!
Managing Administrative Security
In this topic, explain how to grant permissions to administrators to enable
them to carry out their tasks. Explain how to do this manually as well as by
using the Exchange System Manager. Also explain how to delegate
permissions using the Exchange Administration Delegation Wizard.
!
Creating and Configuring Administrative Groups
In this topic, explain how to create a new administrative group. Next,
explain how to grant permissions to an administrative group manually or by
using the Exchange Administration Delegation Wizard.
!
Using Exchange 2000 System Policies
In this topic, explain how to manage Exchange 2000 objects using system
policies. List the objects for which you can create system policies. Explain
how to create policies and apply them to an Exchange organization.
!
Administering Exchange 2000 Address Lists
In this topic, describe the various address lists available in Exchange 2000.
Explain how to create custom address lists and offline address lists. Explain
how address lists can be configured to meet different requirements. Finally,
explain how to keep address lists up-to-date by using the Recipient Update
Service.
Module 3: Administering Microsoft Exchange 2000 v
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The labs in this module are also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for course 1572A, Implementing and
Managing Microsoft Exchange 2000.
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup Requirement 1
The labs in this module require Exchange 2000. To prepare student computers
to meet this requirement, perform one of the following actions:
!
Complete the labs for Module 2, “Installing Microsoft Exchange 2000,” in
course 1572A, Implementing and Managing Microsoft Exchange 2000.
!
Install Exchange 2000 at D:\Program Files\Exchsrvr on each server into an
organization named Northwind Traders. Components installed are Microsoft
Exchange Messaging and Collaboration Services, Microsoft Exchange
System Management Tools, and Microsoft Exchange Instant Messaging
Service.
Setup Requirement 2
The labs in this module require a custom MMC. To prepare student computers
to meet this requirement, perform one of the following actions:
!
Complete the labs for Module 2, “Installing Microsoft Exchange 2000,” in
course 1572A, Implementing and Managing Microsoft Exchange 2000.
!
Have the students create a custom MMC in the C:\Documents and
Settings\All Users\Desktop that is saved as your_firstname Console. The
MMC contains the Active Directory Users and Computers snap-in and the
Exchange System snap-in.
Important
vi Module 3: Administering Microsoft Exchange 2000
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Lab Results
Performing the labs in this module introduces the following configuration
changes:
!
An organizational unit is created in Active Directory that is named
your_servernameOU for each server in the classroom.
!
A user account is created in each server’s organizational unit for each
student. The account is a member of the Domain Admins group and has a
mailbox on the student’s Exchange server.
!
An Outlook profile is created for each student on their own server that opens
their mailbox.
!
The Domain Admins group is delegated Full Administrator role on the
Northwind Traders organization.
!
An address list is created that shows users with the city attribute set to the
student’s server name.
Module 3: Administering Microsoft Exchange 2000 1
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Overview
!
Overview of the Administrative Utilities
!
Introduction to Exchange System Manager
!
Managing Administrative Security
!
Creating and Configuring Administrative Groups
!
Using Exchange 2000 System Policies
!
Administering Exchange 2000 Address Lists
Administering a large Microsoft
®
Exchange 2000 organization is more than a
one-person task. In this module, you will learn how to grant permissions, assign
roles, and apply system policies so that specific administrative tasks can be
safely delegated to other administrators.
After completing this module, you will be able to:
!
Describe the utilities that you can use to modify the Active Directory™
directory service.
!
Describe the main components of Exchange System Manager that are used
to administer Exchange 2000.
!
Manage administrative security by granting permissions, overriding
inherited permissions, and delegating permissions.
!
Create administrative groups and configure administrative groups to secure
an Exchange organization.
!
Create and apply system policies and secure system policy creation.
!
Create, configure, and update address lists in Exchange 2000.
Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
how to administer Exchange
2000.
2 Module 3: Administering Microsoft Exchange 2000
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Overview of the Administrative Utilities
Administrative Utilities
Administrative Utilities
Active Directory
Schema
Active Directory
Schema
Exchange
System
Manager
Exchange
System
Manager
Ldp.exe
Ldp.exe
Adsiedit.exe
Adsiedit.exe
Exchange 2000 security builds on Windows 2000 security. Therefore,
administering Exchange 2000 involves making changes to the Active
Directory
™
directory service. For example, you can grant permissions, assign
roles, and create system policies. There are several utilities available that you
can use to make changes to Active Directory.
Exchange System Manager
Exchange System Manager is a Microsoft Management Console (MMC) snap-
in that you can use to:
!
Provide a framework for containing all other Exchange snap-ins so that you
can manage an entire Exchange enterprise from a single console.
!
Provide a consistent administrative experience for administrators who deal
with all facets of Exchange, including public folders, servers, routing, and
policies.
ADSI Edit
ADSI Edit (Adsiedit.exe) is a low-level Active Directory editor that uses Active
Directory Services Interface (ADSI) to view and modify objects in the Active
Directory, including the attributes and properties of a specific user or group.
You need to use ADSI Edit to perform administrative tasks that cannot be
performed using Exchange System Manager or Active Directory Users and
Computers.
For example, ADSI Edit enables you to specify how the full name attribute is
generated; this cannot be specified using Exchange System Manager or Active
Directory Users and Computers. ADSI Edit is included with the Microsoft
Windows
®
2000 support tools.
Topic Objective
To list and describe the
utilities that you can use to
modify Active Directory.
Lead-in
You can choose from four
utilities for administering
Exchange 2000.
Module 3: Administering Microsoft Exchange 2000 3
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Active Directory Administration Tool
You can use the Active Directory Administration Tool (ldp.exe), a generic
Lightweight Directory Access Protocol (LDAP) tool, to connect to an LDAP
compatible directory. The Active Directory Administration Tool
is similar to
ADSI Edit in that it allows you to view and modify objects in Active Directory.
The Active Directory Administration Tool is also useful for viewing replication
information of objects, such as when the object was last replicated. The Active
Directory Administration Tool is included in the Windows 2000 Server support
tools.
Active Directory Schema
Active Directory Schema is an MMC snap-in that allows you to view attribute
and class configuration. This is different from ADSI Edit and Active Directory
Administration Tool in that you cannot view instances of an object, such as a
specific user.
Before loading Active Directory Schema, you must register its dynamic-
link library (DLL) by typing Regsvr32 schmmgmt.dll at the command prompt,
and then pressing ENTER.
Note
4 Module 3: Administering Microsoft Exchange 2000
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
#
##
#
Introduction to Exchange System Manager
!
Exchange System Manager
!
Organization Object Properties
!
Top-Level Containers
As an administrator, you need to configure, maintain, and secure your
Exchange organization. Exchange System Manager provides all of the
configuration options you need in one convenient MMC snap-in. Because you
will primarily use Exchange System Manager to administer the Exchange 2000
organization, this utility is the focus in this module.
Topic Objective
To introduce this Exchange
System Manager.
Lead-in
You can perform most tasks
for administering an
Exchange organization
using Exchange System
Manager.
Module 3: Administering Microsoft Exchange 2000 5
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Exchange System Manager
Exchange
System
Manager
Exchange
System
Manager
Active
Directory
Active
Directory
Administrator
Domain Controller
You start Exchange System Manager by clicking Start, pointing to Programs,
Microsoft Exchange, and then clicking System Manager.
Exchange System Manager will, by default, connect to a domain controller that
exists on the same subnet as the computer running Exchange System Manager.
The domain to which Exchange System Manager will connect is determined by
the Domain Name System (DNS) entries.
If no domain controller exists on the same subnet, a domain controller will be
chosen from within the same Windows 2000 site. After Exchange System
Manager connects to a domain controller, Active Directory is queried to
populate the console with data applicable to Exchange 2000.
You may want to override connecting to the default domain controller in the
following scenarios:
!
You need to bypass Active Directory replication latency.
!
You want to use the same administrator computer to connect to multiple
domain controllers in different Windows 2000 forests to manage different
companies or divisions.
If you want to direct the Exchange System Manager console to a specific
domain controller, you must add the Exchange System Manager snap-in to an
MMC console. Prior to adding the snap-in to the console, you will be prompted
for the specific domain controller to administer. This domain controller
information will be maintained in the saved console file.
Topic Objective
To explain how to start
Exchange System Manager.
Lead-in
Exchange System Manager
displays data from Active
Directory in the Windows
2000 domain.
Note
6 Module 3: Administering Microsoft Exchange 2000
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Organization Object Properties
Organization Object Properties
Displays general properties including
routing groups and administrative
groups
Displays details such as the date of
creation and last modification
Lists the users and groups that can
access the Organization object
along with the permissions
General
Details
Security
The Organization object is the top-level container for all other Exchange 2000
system objects. You can access the properties of an Organization object by
using Exchange System Manager.
The following table describes the options in the Property dialog box of the
Organization object:
Tab Option Function
General Display routing
groups
Displays the organization’s routing group
information.
Display
administrative groups
Displays the organization’s administrative
groups. An administrative group is a
collection of Exchange objects that are
grouped together to simplify management
of permissions. This option is disabled by
default.
Operation mode Displays information about whether the
organization is running in mixed mode or
native mode. By default, the servers run in
mixed mode.
Change operation
mode
Converts the organization to native mode.
You should select this option only when
you are certain that you will no longer be
coexisting with Microsoft Exchange Server
5.5. This action is not reversible.
Details Creation Date Displays when the Organization object was
created in Active Directory.
Last modification Displays the date and time of the last
modification to the Organization object.
Topic Objective
To describe the
Organization object
properties for an Exchange
2000 organization.
Lead-in
The Organization object is
the top-level container for an
Exchange 2000
organization.
Module 3: Administering Microsoft Exchange 2000 7
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
(continued)
Tab Option Function
Administrative note Provides additional information about
the Exchange organization that can be
added by an administrator.
Security Name Displays the users and groups that
currently have permissions on the
Organization object. Click Add or
Remove to modify this listing.
Permissions Displays the access permissions for the
object selected in the Name window.
Select Allow or Deny to modify the
access rights of the selected object.
Advanced Views or configures specific
permissions, auditing, and object owner
properties.
Allow inheritable
permissions from
parent to propagate
to this object
If cleared, this option prevents the
Organization object from inheriting
permissions from its parent.
The Security tab is not available by default on the Organization and
Administrative Groups objects. You can enable the Security tab on these
objects by adding the following key to the registry value:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin\ShowSec
urityPage=dword:00000001 (enable) or 0 (disable)
Note
8 Module 3: Administering Microsoft Exchange 2000
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Top-Level Containers
Tools
Connectors
System Policies
Servers
Administrative Groups
Global Settings
Organization
Recipients
The Organization object contains several top-level containers that hold
Exchange 2000 system settings. The contents of these containers change
depending on which display options you select in the organizational unit
properties.
For example, if you display administrative groups, then the containers Servers,
Policies, and Connectors will appear under the specific Administrative Group
object.
Container Child containers
Global Settings Organization-wide Internet message formats, message
delivery, and instant messaging properties
Recipients Recipient policies, address lists, and address templates
Administrative Groups
(not visible by default)
All administrative groups that you have defined for the
organization. Each administrative group container displays
containers representing the associated servers, policies,
connectors and folders.
Servers All servers defined in your organization
System Policies
(not visible by default)
All defined mailbox store, public store, and server policies
Connectors Simple Mail Transfer Protocol (SMTP), X.400, cc:Mail, MS
Mail, Lotus Notes, Groupwise and Dirsync connector objects.
If you are viewing routing groups, you will also see
connectors within the corresponding routing group.
Tools Site Replication Services, track messages, and monitor
servers and connectors from this container.
Topic Objective
To list and describe the top-
level containers in an
Exchange 2000
organization.
Lead-in
Top-level containers
organize various system
settings.
Module 3: Administering Microsoft Exchange 2000 9
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
#
##
# Managing Administrative Security
!
Types of Permissions
!
Permission Inheritance
!
Delegating Permissions to Administrators
!
Scope of Permissions
!
Delegating Permissions Manually
!
Permissions Required for Administrative Tasks
You can grant administrative privileges in Exchange 2000 by giving Windows
2000 users and groups permissions to Exchange 2000 objects. You can grant
these permissions by using Exchange System Manager. Granting these
permissions makes administration more secure because you can specify who
can gain access to which Exchange 2000 objects. You can grant or deny
permissions on individual objects and containers to specific users or groups.
You can also configure permissions so that they propagate down the Exchange
object console tree.
Topic Objective
To introduce this topic.
Lead-in
You must grant permissions
to Administrators for the
Exchange objects that they
need to administer.
10 Module 3: Administering Microsoft Exchange 2000
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Types of Permissions
Standard
Permissions
Standard
Permissions
Extended
Permissions
Extended
Permissions
!
Full control
!
Read
!
Write
!
Delete
!
Read permissions
!
Change permissions
!
Take ownership
!
Create children
!
Delete children
!
List contents
!
Read properties
!
Write properties
!
List objects
!
Add PF to admin
group
!
Create public folder
!
Open mail send
queue
!
Read metabase
properties
!
Administer
information store
!
View information
store status
!
Receive As
!
Send As
Exchange 2000 uses the security model of Windows 2000 and Active Directory
to manage access to objects. All Exchange 2000 objects are secured with a
discretionary access control list (DACL) and individual Access Control Entries
(ACEs) that give users and groups specific permissions to control
administrative access to an object.
You can configure permissions for an object using the Security tab of the
object in Exchange System Manager. You can either grant or deny permissions.
A permission that is denied overrides all other instances of this permission
being allowed to the user or group.
There are two types of permissions: standard and extended. Standard
permissions are part of the default permissions for Active Directory. Extended
permissions are added when Exchange 2000 is installed.
Standard Permissions
Standard permissions are Active Directory permissions that you can apply to
Exchange 2000 objects. The following table lists the standard permissions for
Active Directory.
Permission Description
Full control Full permissions on the object
Read View the object in System Manager
Write Make changes to the object
Delete Delete the object
Read permissions View the security settings for the object
Topic Objective
To identify the types of
permissions in Exchange
2000.
Lead-in
There are two types of
permissions in Exchange
2000—standard and
extended.
Module 3: Administering Microsoft Exchange 2000 11
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
(continued)
Permission Description
Change permissions Modify the permissions on the object
Take ownership Take ownership of the object
Create children Create child objects
Delete children Delete child objects
List contents View the contents of a container object
Read properties View the properties of the object
Write properties Modify the properties of the object
List object View the object in a container object
The Execute, Add/remove self, and Delete tree permissions available in
Active Directory are not applicable to Exchange 2000 objects.
Extended Permissions
Extended permissions are Exchange 2000 permissions that you can use to
achieve more specific administrative control. For example, the Server object
has the Administer Information Store extended permission that enables you to
specify which users or groups can make changes to the Information Store
objects.
You should use the two extended permissions, Send As and Receive As, with
caution. Send As gives a user or group permission to impersonate another user.
Receive As gives a user or group the capability to open another user’s mailbox.
When using the Exchange Administration Delegation Wizard to assign
permissions in Exchange System Manager, the Send As and Receive As
permissions are denied. However, if you grant a user or group both the Send As
and Receive As permissions manually using Exchange System Manager, it
results in the Full Mailbox Access permission. This will enable the user or
group to open all user mailboxes.
Exchange 2000 does not recognize the Receive As permission
granted on the user object Security page in Active Directory Users and
Computers. Exchange 2000 only recognizes the Receive As extended
permission granted on Exchange 2000 objects.
Note
The extended permissions
listed in the graphic are a
subset of the extended
permissions available.
Important
12 Module 3: Administering Microsoft Exchange 2000
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Permission Inheritance
Organization
Recipients
Propagates
Propagates
Permissions
Permissions
A child object inherits permissions from its parent object by default. This is
known as inheritance and can simplify setting permissions on objects in the
following ways:
!
It eliminates the need to manually apply permissions to child objects when
child objects are created. Permissions can be applied to all child objects by
simply applying the permissions to the parent object.
!
It ensures that the permissions attached to a parent object are applied
consistently to all child objects.
You can view permissions by opening the Property dialog box of a child
object, clicking the Security tab, and then clicking Advanced. The Access
Control Settings dialog box opens. All inherited permissions appear shaded in
this dialog box.
You can override inheritance by:
!
Modifying permissions inherited by a child object
In some cases you may not want to have permissions inherited from a parent
object. For example, when you create a new routing group, it will inherit the
permissions from the administrative group in which it was created. If you
want different permissions on the new routing group, you can change the
inheritance of the routing group so that permissions from the parent
administrative group are not propagated to the new routing group.
Inherited permissions can be modified by clearing the Allow inheritable
permissions from parent to propagate to this object check box on the
Security tab of the child object. Clearing this check box removes the
permissions inherited from the parent object.
Topic Objective
To identify how permissions
are inherited in Exchange
2000.
Lead-in
Inheritance of permissions
simplifies administration in
Exchange 2000.
Delivery Tip
Demonstrate how to modify
permissions inherited by a
child object.
Module 3: Administering Microsoft Exchange 2000 13
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
If you remove inherited permissions and specify that permissions
should be applied to the parent object only, the child objects will be left with
no permissions (an implicit Deny permission). This will prevent access to
Exchange 2000 objects in the Exchange System Manager. In this case, you
can restore the permissions using the Adisedit.exe utility.
!
Preventing permissions from propagating to child objects
You can prevent permissions from propagating to child objects by using the
Security tab of the parent object. From the Security tab, you need to access
the Advanced dialog box, where you can modify the access control settings.
For each access control setting, you can specify whether the permissions
should apply only to the parent object, or whether the permissions should
apply to the parent object as well its and child objects.
Important
Delivery Tip
Demonstrate how to prevent
permissions from
propagating to child objects.
14 Module 3: Administering Microsoft Exchange 2000
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Delegating Permissions to Administrators
Exchange Administration Delegation Wizard
Users or Groups
Select one or more users or groups to whom you wan to delegate control.
NWTRADERS1\DHCP…Exchange Admi…
NWTRADERS1\Cert P… Exchange View Only A…
Users or Groups
Permissions
Permissions
Applied using the Exchange
Administration Delegation Wizard
Applied using the
Applied using the
Exchange
Exchange
Administration Delegation
Administration Delegation
Wizard
Wizard
Administrators must be granted the necessary permissions to perform their
administrative tasks in Exchange 2000. You can grant these permissions using
an automated wizard called the Exchange Administration Delegation Wizard.
You can also grant these permissions manually.
The Exchange Administration Delegation Wizard enables you to select a user or
a group, and give them a specific administrative role. The delegation wizard
supports the following three roles:
!
Exchange Full Administrator. Users can fully administer Exchange system
information (for example, add, delete, and rename objects) and modify
permissions. You should delegate this role to administrators who need to
configure and control access to your mail system.
!
Exchange Administrator. Users can fully administer Exchange system
information. However, they cannot modify permissions. You should
delegate this role to users or groups responsible for the day-to-day
administration of Exchange (for example, add, delete, and rename objects).
!
Exchange View Only Administrator. Users can view Exchange configuration
information. You should delegate this role to administrators of other
administrative groups who need to view organization information of other
administrative groups that they are not administering.
Topic Objective
To list and describe the
three roles that can be
applied to a user or a group.
Lead-in
You can delegate
permissions on Exchange
2000 objects manually, or
by using Exchange
Administration Delegation
Wizard.
Module 3: Administering Microsoft Exchange 2000 15
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Scope of Permissions
Types of Roles:
Full Administrator
Full Administrator
Exchange Administrator
Exchange Administrator
View Only Administrator
View Only Administrator
You can start the Exchange Administration Delegation Wizard from the
Organization object or from specific administrative group containers. Where
you start the wizard will determine the scope of objects on which the user or
group will have permissions. If you start the wizard from the Organization
object, the permissions assigned will be propagated down the hierarchy to all
objects in the organization. If you start the wizard from an Administrative
Group object, permissions will propagate to all objects in that administrative
group; however, read-only permissions will also be granted from the
Administrative Group object up the hierarchy so that the administrator will be
able to view the hierarchy.
In order to use the Exchange Administration Delegation Wizard,
you must have Full Administrator permissions at the organization level.
When you use the Exchange Administration Delegation Wizard, permissions
are actually applied at the Microsoft Exchange container level in Active
Directory and inherited through to the organization. This container is above the
organization container for the Exchange 2000 organization. You can configure
the permissions on the Microsoft Exchange container within the Active
Directory schema using ADSI Edit.
CN=Configuration…, CN=Services, CN=Microsoft Exchange
Topic Objective
To identify the permissions
granted on objects when an
administrative role is applied
to an administrator.
Lead-in
The scope of permissions
depends on where you start
the Exchange
Administration Delegation
Wizard in Exchange System
Manager.
Important
Delivery Tip
Demonstrate how to modify
permissions on the
Microsoft Exchange
container using ADSI Edit.
16 Module 3: Administering Microsoft Exchange 2000
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Full Administrator Role
The following table lists the permissions granted for objects when you apply the
Full Administrator role for the organization container to an administrator by
using the Exchange Administration Delegation Wizard.
Container
Permissions
Do permissions apply
to subcontainers?
Microsoft Exchange Full control Yes
Organization Send As and Receive As denied Yes
Administrative Groups All permissions inherited. Send
As and Receive As inherited as
denied.
Yes
Exchange Administrator Role
The following table lists the permissions granted for objects when you apply the
Exchange Administrator role for the organization container to an administrator
by using the Exchange Administration Delegation Wizard.
Container
Permissions
Do permissions apply
to subcontainers?
Microsoft Exchange All permissions except Full
Control
Yes
Organization Send As and Receive As denied Yes
Administrative Groups All permissions inherited except
Full Control. Send As and
Receive As inherited as denied.
Yes
View Only Administrator Role
The following table lists the permissions granted for objects when you apply the
View Only Administrator role for the organization container to an administrator
by using the Exchange Administration Delegation Wizard.
Object
Permissions
Do permissions apply
to subcontainers?
Microsoft Exchange
container
Read permission allowed. Yes
Organization Read permission inherited, View
information store status
permission allowed
Yes
Administrative Groups Read and View information store
status permissions inherited
Yes
Module 3: Administering Microsoft Exchange 2000 17
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Delegating Permissions Manually
First Administrative Group Properties
General Details
DHCP Users (TWTRADERS1\DHCP Users)
Domain Admins (NWTRADERS1\Domain Ad…
Users or Groups
List object
Add PF to admin group
Create public folder
Create top level public folder
Security
Permissions
Permissions
Applied Manually
Applied Manually
Applied Manually
The Exchange Administration Delegation Wizard is most useful if you are
granting users or groups permission for all objects in the scope. If you require
more specific permissions, you need to apply permissions manually.
For example, if you want to create an administrative role that grants full access
to all Exchange 2000 objects except storage groups, you first use the Exchange
Administration Delegation Wizard to apply the Full Administrator role to the
group. You then manually deny the Full Control permission on the storage
group object. As a result, these administrators would have full access to all
objects except storage groups and their child objects. In fact, these
administrators would not even see the storage group object in Exchange System
Manager because they do not have the Read permission.
You should consider the following when manually granting permissions to
administer Exchange 2000:
!
When delegating permissions to a user or group, you must grant parent
objects at least Read permissions for the child objects you are granting
explicit permission. If you fail to do so, the user or group will not be able to
navigate through the hierarchy to reach the object for which they have
permissions.
!
When you grant permissions manually, the Send As and Receive As
permissions are granted by default. As a result, the user to whom you are
delegating permissions manually will have Full Mailbox Access permission
on all mailboxes by default. Such a user will be able to open any mailbox
and impersonate any user. To prevent this, you need to explicitly deny the
Send As and Receive As permissions at the organization level.
Topic Objective
To identify the guidelines for
delegating permissions
manually.
Lead-in
There are situations when
you may have to delegate
permissions manually.
18 Module 3: Administering Microsoft Exchange 2000
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
When you use Exchange Delegation Administration Wizard, the Send
As and Receive As permissions are not granted by default. Therefore, it is
recommended that users be delegated permissions to administer Exchange
2000 using the Exchange Delegation Administration Wizard.
!
Document all permissions that you grant manually so that the permissions
can easily be restored or removed when troubleshooting security problems.
Note
Module 3: Administering Microsoft Exchange 2000 19
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Permissions Required for Administrative Tasks
To Perform a Task, an Administrator
May Require:
Specific Permissions in Exchange 2000
Specific Permissions in Exchange 2000
Specific Windows 2000 Group Membership
Specific Windows 2000 Group Membership
In addition to the roles assigned using the Exchange Delegation Administration
Wizard or the permissions granted manually, other Windows 2000 group
memberships are required to manage Exchange 2000.
If you assign an administrator the Write permission for objects in an
organization or administrative group, that administrator must be a local
computer administrator for each computer running Exchange 2000 that he or
she needs to manage. Being a local administrator enables the user to start and
stop services, and to access the registry, the metabase, and the file system for
different administrative operations.
The following table lists the permissions, roles, and Windows 2000 group
memberships required for performing some common administrative tasks.
Tasks Exchange 2000 permissions Windows 2000 group
memberships
Create and delete mailboxes In Exchange 2000, you should be a
member of the administrative group where
the target server running Exchange 2000
exists. The View Only Administrator role
should have been applied to this
administrative group.
If you manage Public Folder objects, you
should ensure that your administration
account is mail/mailbox-enabled.
You should have permission to
create a user object in Active
Directory.
Topic Objective
To identify the permissions
required for performing
some administrative tasks.
Lead-in
Here are some examples of
administrative tasks and the
permissions required for
them.
