?
Solved

exch 2010 management access

Posted on 2011-03-24
4
Medium Priority
?
505 Views
Last Modified: 2012-08-14
In exchange 2003, Tech support would make changes to Exch 2003 users mailboxes through AD... Now that we just started using exch 2010, mailbox attributes are no longer availalbe in the users AD account.. Do the Tech support admins need to have access to the Exch 2010 MMC to edit users mailboxes?  Any best practive advice is welcome.
0
Comment
Question by:DEFclub
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 42

Expert Comment

by:Adam Brown
ID: 35211841
They will need to have access to the Exchange 2010 Master Console or Shell. You can control what level of access they have by using management roles. http://technet.microsoft.com/en-us/library/dd298183.aspx has some in depth information on the new Role Based Access Control system for Exchange 2010. If you don't want to have to deal with managing roles like that, you can utilize the built in Exchange Security Groups that are installed into AD with Exchange. For instance, adding users to the Recipient Administrators group will allow them to perform a number of mailbox oriented tasks.

One of the advantages of this system is that when a user with limited administrative access opens the Exchange Management Console, only the tasks that they have access to will be presented to them. From the Exchange Management Shell, they will only be able to use the Powershell cmdlets assigned to the management role that they are a member of.
0
 

Author Comment

by:DEFclub
ID: 35211990
Yes, I’m familiar with the management rolls... I guess Im just realizing that Microsoft removed exchange administration from AD and it solely resides in the Exchange MMC or PS... Any idea what their philosophy was for making that decision?
0
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 35212081
There were a couple of reasons. Removing it from AD allows for split administration, where AD admins can only view and modify AD objects and functions and Exchange admins can only manage Mailboxes. In the default installation, this partitioning of managerial functions doesn't exist, but Exchange can be installed in a way that allows for much better separation of duties. This is a requirement laid out by many modern security accreditation systems. To be more specific, separation of duties is the requirement that each employee have only enough access to view and modify objects within the scope of their jobs. This prevents an AD admin from, say, configuring an Email user so that all a user's email is forwarded to the admin. It also prevents an Exchange admin from modifying a user or resetting passwords. This could be done with the old system, but the presentation and management of it is much more intuitive with separate interfaces for the two functions.

Another is my own opinion of things, in that the old way of doing it really wasn't very intuitive. Specifically, you managed the Exchange environment in the Exchange Console and the Users in AD. It makes much more sense to have all Exchange administrative tasks available in the same location. I very clearly remember my first run in with Exchange and being horribly confused that I couldn't manage the user's email addresses and such in the Exchange console. There are probably many other reasons as well.
0
 

Author Closing Comment

by:DEFclub
ID: 35216798
Thanks for taking the time to explain!
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month11 days, 23 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question