Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Logical security and administration delegation within Exchange 2003

Posted on 2008-10-11
3
Medium Priority
?
218 Views
Last Modified: 2012-05-05
Hi Guys

I was searching for some tips/guidelines to design Administration delegation and access control for our newly implemented exchange organisation built upon 2003. There are various locations across the globe and the underlying Windows 2003 R2 infrastructure is that of a single forest/domain architecture.

Pls advise the best practices to go about logically securing this exchange organisation.

Thx in advance!  
0
Comment
Question by:fahim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 8

Expert Comment

by:sstone55423
ID: 22694542
This is a very general question.  SO, you will probably get general answers, if any.
 
Of course, with WIndwos 2003 R2 you can delegate administrative permissions over file system rights, roles, as well as exchange stores and roles within the stores.  You seem to indciate that the server structure for the forest and domain alreadty exist.  I assume that you have administrative rights delegated for those servers.  Are the exchange servers already set up and running, or are are you talking about a new implementation?  Do you know how you want to distribute your stores and the users for each store?  I assume they will probably be geographically distributed, and within that politically (by department -- or all departments sharing a store at a location).  WOuld it not make sense to distribute administrative rights to appropriate people along the same lines?
 
0
 

Author Comment

by:fahim
ID: 22694925
Hi Stone..I'll be more specific. The need is define roles for exchange administrators while maintaining centralised authority. Yes, exchange server are already running. Stores are geographically distributed and further business unit wise (call it political) but not further demarcated. Centralised IT is managing all of them though. Also! Can't distribute admin rights across the same way and need to maintain strict central administration and confidentiality of user's mailboxes even from local admins.

From what I read in Microsoft's exchange security hardening guide, I have the option of three levels of administrative roles within Exchange.
 
1. Exchange View Only
2. Exchange administrator
3. Exchange Full administrator

It further sates within the description of Exchange Admin: "Grants all permissions except for ability to take ownership, change permissions, or open user mailboxes."

And describing the function of Exchange Full Admin: " Grants all permissions to all objects below that container except for the ability to open user mailboxes or impersonate a user's mailbox, including the ability to change permissions. "

Now which one of these roles has full authority over user's mailboxes? My guess is, Full Admin--Right?
So, guys in this category should be the least.

Further the doc explains exchange hierarchical levels:

Exchange provides three levels at which you can apply Access Control Lists (ACLs) and administrative permissions. The three levels are:

1. Organization Level  Includes all Exchange Administrative Groups and the Exchange servers they contain. This is the top level and users with administrative permissions at this level can manage the entire Exchange organization.

2. Administrative Group Level  This level includes all Exchange servers in the Administrative group. An administrative group can be compared to an Active Directory domain, where the domain is the administrative boundary.
3. Server Level

.....How do I decide and map my administrative permissions vis a vis these hierarchical levels in best possible ways?
0
 
LVL 8

Accepted Solution

by:
sstone55423 earned 2000 total points
ID: 22721798
The administrative group level would allow you on a domain by domain basis to limit access.  I don't know if your geograohical/departmental structure is consistent with that.  You may need to customize it based at a server by server level if the fit is not clean along the domain basis.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
New style of hardware planning for Microsoft Exchange server.
This video discusses moving either the default database or any database to a new volume.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question