Solved

Where and how to assign the correct Exchange 2010 permission for two separate AD security group ?

Posted on 2014-10-30
12
221 Views
Last Modified: 2015-01-01
Folks,

Previously using Exchange Server 2007, I know where to put and assign permission for two different team / group based on their responsibilities and what's available on the AD created by Exchange Server during the installation.

IT help desk AD security group can be put into Exchange Server Recipient Administrator security group
and
IT Admin AD security group can be placed into the Exchange Server Organization Administrators

but in the Exchange Server 2010, I cannot find the above AD security group anymore ?

From my current AD Users and Computer console I cannot find the following AD security group displayed below:
Exchange Security group
Can anyone please help me here to make sure that I can assign the following group to where it is supposed to be:

IT Helpdesk team group can do the following:
Create, delegate, change permission or delete user mailbox and contacts
Create or delete Distribution group

IT Admin team group can do the following:
All of the above team can do plus perform DAG failover
patching and rebooting Exchange Server
change and modify configurations of Exchange Servers

Thanks in advance.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 167 total points
ID: 40415365
Microsoft have replaced the permissions model in Exchange 2010 (surprise surprise!) with what is called the Role Based Access Control (or RBAC for short) model, which now allows for more granular permissions to be assigned to users. Have a read here for more infomation:
http://blogs.technet.com/b/mspfe/archive/2010/11/23/securing_2d00_ms_2d00_exchange_2d00_2010_2d00_role_2d00_based_2d00_access_2d00_control_2d00_rbac_2d00_simplified.aspx
http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-2010-role-based-access-control-part1.html

There is a web interface which you can use to create, assign, and even modify role assignments: In the Exchange Management Console > click on Toolbox > Role Based Access Control (RBAC) User Editor > log into the Exchange Control Panel (ECP) web interface > you will then be presented with all the built-in Role Groups.

I would suggest you do some light reading on RBAC first, then have a look in the web interface. You will quickly figure it out :)
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40415735
ok, so in this case do I need to recreate the AD security group above in my AD User and Computer Console ?
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 333 total points
ID: 40417734
Putting your IT Admin AD security group in the Organization Management group will give you a very similar result to what you had before.

See this article:
http://technet.microsoft.com/en-us/library/dd335087(v=exchg.141).aspx

To quote that article directly.
This role group is equivalent to the Exchange Organization Administrators role in Exchange Server 2007.


For IT help desk AD security group look at the Recipient Management RBAC role as a similar group to what you had before.

Article for Recipient Management
http://technet.microsoft.com/en-us/library/dd298028(v=exchg.141).aspx

To quote it directly.
This role group is equivalent to the Exchange Recipient Administrators role in Exchange Server 2007.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40417831
Do I have to create those AD security group ?

Because I could not find those on the ADUC using find feature.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40418038
No. Those should already be created. They get created during the schema update process when going to Exchange 2010.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40418042
Gareth,

I could not find it somehow in the search result. so how can I recreate those group ?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40418198
Insert the Exchange DVD/ISO. Open command prompt. Switch to the DVD drive letter. Run the following command.

Setup.com /PrepareDomain


See here for more info and screenshots (towards the bottom of the article).
http://supertekboy.com/2014/04/02/migrating-exchange-2003-2010-part-ii/
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40418527
Thanks Gareth.

So in this case, if I do SP3 and RU7 patching, does that security group gets recreated in AD?
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 333 total points
ID: 40418530
Hmm. Good question. I think if you do an upgrade to SP3 its just going to do the Setup /PrepareAD by default. This just applies the latest schema changes.

Once you have successfully installed SP3 you can then go back and rerun Setup /PrepareDomain from the SP3 ISO/DVD,
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40418559
Ok cool,
Because I need to organize outage for recreating this AD security group.

I guess I'll do it after I do the SP3 and RU7
0
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 40526978
Thanks
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40526983
Glad to help!
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question