Where and how to assign the correct Exchange 2010 permission for two separate AD security group ?


Previously using Exchange Server 2007, I know where to put and assign permission for two different team / group based on their responsibilities and what's available on the AD created by Exchange Server during the installation.

IT help desk AD security group can be put into Exchange Server Recipient Administrator security group
IT Admin AD security group can be placed into the Exchange Server Organization Administrators

but in the Exchange Server 2010, I cannot find the above AD security group anymore ?

From my current AD Users and Computer console I cannot find the following AD security group displayed below:
Exchange Security group
Can anyone please help me here to make sure that I can assign the following group to where it is supposed to be:

IT Helpdesk team group can do the following:
Create, delegate, change permission or delete user mailbox and contacts
Create or delete Distribution group

IT Admin team group can do the following:
All of the above team can do plus perform DAG failover
patching and rebooting Exchange Server
change and modify configurations of Exchange Servers

Thanks in advance.
LVL 11
Senior IT System EngineerSenior Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

VB ITSSpecialist ConsultantCommented:
Microsoft have replaced the permissions model in Exchange 2010 (surprise surprise!) with what is called the Role Based Access Control (or RBAC for short) model, which now allows for more granular permissions to be assigned to users. Have a read here for more infomation:

There is a web interface which you can use to create, assign, and even modify role assignments: In the Exchange Management Console > click on Toolbox > Role Based Access Control (RBAC) User Editor > log into the Exchange Control Panel (ECP) web interface > you will then be presented with all the built-in Role Groups.

I would suggest you do some light reading on RBAC first, then have a look in the web interface. You will quickly figure it out :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
ok, so in this case do I need to recreate the AD security group above in my AD User and Computer Console ?
Gareth GudgerSolution ArchitectCommented:
Putting your IT Admin AD security group in the Organization Management group will give you a very similar result to what you had before.

See this article:

To quote that article directly.
This role group is equivalent to the Exchange Organization Administrators role in Exchange Server 2007.

For IT help desk AD security group look at the Recipient Management RBAC role as a similar group to what you had before.

Article for Recipient Management

To quote it directly.
This role group is equivalent to the Exchange Recipient Administrators role in Exchange Server 2007.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Do I have to create those AD security group ?

Because I could not find those on the ADUC using find feature.
Gareth GudgerSolution ArchitectCommented:
No. Those should already be created. They get created during the schema update process when going to Exchange 2010.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:

I could not find it somehow in the search result. so how can I recreate those group ?
Gareth GudgerSolution ArchitectCommented:
Insert the Exchange DVD/ISO. Open command prompt. Switch to the DVD drive letter. Run the following command.

Setup.com /PrepareDomain

See here for more info and screenshots (towards the bottom of the article).
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Thanks Gareth.

So in this case, if I do SP3 and RU7 patching, does that security group gets recreated in AD?
Gareth GudgerSolution ArchitectCommented:
Hmm. Good question. I think if you do an upgrade to SP3 its just going to do the Setup /PrepareAD by default. This just applies the latest schema changes.

Once you have successfully installed SP3 you can then go back and rerun Setup /PrepareDomain from the SP3 ISO/DVD,
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Ok cool,
Because I need to organize outage for recreating this AD security group.

I guess I'll do it after I do the SP3 and RU7
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Gareth GudgerSolution ArchitectCommented:
Glad to help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.