Solved

Logical security and administration delegation within Exchange 2003

Posted on 2008-10-11
3
211 Views
Last Modified: 2012-05-05
Hi Guys

I was searching for some tips/guidelines to design Administration delegation and access control for our newly implemented exchange organisation built upon 2003. There are various locations across the globe and the underlying Windows 2003 R2 infrastructure is that of a single forest/domain architecture.

Pls advise the best practices to go about logically securing this exchange organisation.

Thx in advance!  
0
Comment
Question by:fahim
  • 2
3 Comments
 
LVL 8

Expert Comment

by:sstone55423
ID: 22694542
This is a very general question.  SO, you will probably get general answers, if any.
 
Of course, with WIndwos 2003 R2 you can delegate administrative permissions over file system rights, roles, as well as exchange stores and roles within the stores.  You seem to indciate that the server structure for the forest and domain alreadty exist.  I assume that you have administrative rights delegated for those servers.  Are the exchange servers already set up and running, or are are you talking about a new implementation?  Do you know how you want to distribute your stores and the users for each store?  I assume they will probably be geographically distributed, and within that politically (by department -- or all departments sharing a store at a location).  WOuld it not make sense to distribute administrative rights to appropriate people along the same lines?
 
0
 

Author Comment

by:fahim
ID: 22694925
Hi Stone..I'll be more specific. The need is define roles for exchange administrators while maintaining centralised authority. Yes, exchange server are already running. Stores are geographically distributed and further business unit wise (call it political) but not further demarcated. Centralised IT is managing all of them though. Also! Can't distribute admin rights across the same way and need to maintain strict central administration and confidentiality of user's mailboxes even from local admins.

From what I read in Microsoft's exchange security hardening guide, I have the option of three levels of administrative roles within Exchange.
 
1. Exchange View Only
2. Exchange administrator
3. Exchange Full administrator

It further sates within the description of Exchange Admin: "Grants all permissions except for ability to take ownership, change permissions, or open user mailboxes."

And describing the function of Exchange Full Admin: " Grants all permissions to all objects below that container except for the ability to open user mailboxes or impersonate a user's mailbox, including the ability to change permissions. "

Now which one of these roles has full authority over user's mailboxes? My guess is, Full Admin--Right?
So, guys in this category should be the least.

Further the doc explains exchange hierarchical levels:

Exchange provides three levels at which you can apply Access Control Lists (ACLs) and administrative permissions. The three levels are:

1. Organization Level  Includes all Exchange Administrative Groups and the Exchange servers they contain. This is the top level and users with administrative permissions at this level can manage the entire Exchange organization.

2. Administrative Group Level  This level includes all Exchange servers in the Administrative group. An administrative group can be compared to an Active Directory domain, where the domain is the administrative boundary.
3. Server Level

.....How do I decide and map my administrative permissions vis a vis these hierarchical levels in best possible ways?
0
 
LVL 8

Accepted Solution

by:
sstone55423 earned 500 total points
ID: 22721798
The administrative group level would allow you on a domain by domain basis to limit access.  I don't know if your geograohical/departmental structure is consistent with that.  You may need to customize it based at a server by server level if the fit is not clean along the domain basis.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question