RSS Subscription 168 Posts and 2,769 Comments

Archive for April, 2009

Exchange 2010 Permissions and Security Groups

Exchange 2010 most definitely brings in some new features to allow for a more intuitive and granular administrative experience in terms of how you allow and/or disallow administration from a permissions perspective.  But to understand why Exchange 2010 management was designed the way it was, let’s take a brief history lesson.

Management History

Exchange 2003 provided management with the Exchange System Manager. Exchange 2007 provided management with the Exchange Management Console (EMC) and the Exchange Management Shell (EMS).  You were limited as to what you could do based on what Exchange Management Group you were in.

Exchange 2003 administration groups consisted of:

  • Exchange Full Administrator
  • Exchange Administrator
  • Exchange View Only Administrator

Exchange 2007 administration groups consisted of:

  • Exchange Organization Administrators
  • Exchange Recipient Administrators
  • Exchange View-Only Administrators
  • Exchange Public Folder Administrators (New in Exchange Server 2007 Service Pack 1)

Exchange 2010 Management/Permissions Overview

Exchange 2010 provides a much more comprehensive method for allowing granular control over what users have control of what functions. This functionality is provided by a new Role Based Access Control (RBAC) authorization system.  The goal of this system is to provide an easy way to delegate and customize control by granting operations based on role or job function.  For example, you can provide your helpdesk certain abilities to perform the job functions they need in a more granular fashion.

The benefit of RBAC is obvious.  Many Exchange Administrators found themselves in situations where they needed to provide less privileged administrators additional privileges but did not want to add them into an administration group that gave too much control as this would not conform to principle of least privilege.  With RBAC, we can provide this less privileged administrator with the control they need without needing to place this administrator into a group that would provide this administrator with too many unneeded privileges.

The new RBAC model works in all Exchange Management applications; Exchange Management Console, Exchange Management Shell, and the new Exchange Control Panel (ECP). The ECP is a new Management Tool provided in Exchange 2010.  It’s a web based management console that is targeted towards the end user and administrators alike.  It’ll allow end users to do simple things such as modify their phone number, if allowed of course.

Because Exchange 2010 utilized PowerShell 2.0, Exchange now has the ability to take advantage of PowerShell Remoting which allows you to remotely manage your Exchange systems; if that didn’t already seem obvious by the name PowerShell Remoting.

Role Based Access Control (RBAC)

As stated, RBAC is the new authorization system that provides an easy way to delegate and customize control by granting operations based on role or job function.  With RBAC, there are for main important things to note:

  • Management Role – Exchange Security Group that you create.  Help Desk Tier 1, Help Desk Tier 2, Admin Tier 1, Admin Tier 2, etc…
  • Management Role Entries – What each Management Role has access to.  What cmdlets can these Management Roles use?
  • Management Role Assignments – What Security Group and/or user is a Management Role assigned to?
  • Management Role Scopes – What target of users, OUs, servers, filtered objects, etc. do these management roles have access to adminster?

As you can see, this system is really flexible and is definitely welcome. There’s already quite a bit out there on the Technet Library on how this all works, so instead of regurgitating it, I encourage you to go check it out here.


Exchange 2010 New Features

Well, with a new version of Exchange obviously brings a new set of features.  While there are a lot of new features, here are just some of the new features:

  1. Database Availability Groups – Database Availability Groups combine CCR and SCR functionality to provide a single solution for both scenarios.  What happens here is that you install a DAG member and it behind the scenes installs Failover Clustering making the High Availability deployment more intuitive for the administrator.  There was one scenario we ran into here where we had two source CCR Clusters wanting to replicate to the same target SCR Standby.  The problem here is that when you recoverCMS on the SCR Standby, the replication fails with the other source CCR that was still working becuase the target SCR server can only ever have 1 CMS.  DAGs fix that issue.
  2. Outlook Web Access Features – There are quite a few new features with OWA.  Some features I really like are:
    • Side-by-side comparison of calendars
    • Ability to attach messages to messages
    • Integration with Communicator including presence, chat, and a contact list
    • Conversation View
    • Support for multiple browsers such as Firefox and Safari
  3. Unified Messaging Features – There are quite a few new features with UM.  Some features I really like are:
    • Message Waiting Indicator
    • Voicemail Preview – This is essentially a speech to text that will display the text in your e-mail message to get a preview of what the voice mail includes
    • Personal auto attendants
    • Protected Voice Mail – Ability to track and restrict where voice mails can go
  4. Store Functionality – There are a ton of new features for UM.  Some important things to note:
    • No more Storage Groups
    • Mailboxes are no longer connected to the server object in which the schema has been flattened to allow for this
    • I/O Improvements including JBOD support and better support for SATA disks
    • Being able to run on cheap disks (SATA) and have a backupless organization by having multiple copies stored on DAG members.
  5. Administration – There are a ton of additions/enhancements to administration.  Some important things to note:
    • Role Based Access Control (RBAC) – Allows you to create granular permissions on custom groups that you create. This essentially replaces the administration model in Exchange 2007.  For example, if you want a help desk group that has access to specific pieces of functionality within Exchange, you can do so.
    • Exchange Control Panel – Ties into RBAC and shows/hides features you are not given access to.
    • Audit Logging
  6. Other
    • Multi-Mailbox Search
    • Text Messaging Integration (SMS)
    • Moderation and approval of distribution group submissions
    • Mail Tips – Will notify an Outlook user of an impeding error before it happens so the user doesn’t get a confusing NDR.  For example, if your message size limit is 10MB and the user tries sending a 15MB message, Outlook will notify the user before the user tries to send out the e-mail saving Exchange resources and making the failure experience more intuitive for the end user.

There’s definitely quite a bit more in which you can start reading here.  I’ll mostly update this post here and there so be sure to check back.  You can definitely expect me to start creating new content around Exchange 2010 in the near future.


Exchange 2010 Announced!

So Exchange 2010 has finally been announced!  You can check out the MSExchangeTeam Blog Post here.  Be expecting some upcoming E14 posts.  You can download the beta here.