RSS Subscription 168 Posts and 2,769 Comments

Exchange 2010 Permissions and Security Groups

Exchange 2010 most definitely brings in some new features to allow for a more intuitive and granular administrative experience in terms of how you allow and/or disallow administration from a permissions perspective.  But to understand why Exchange 2010 management was designed the way it was, let’s take a brief history lesson.

Management History

Exchange 2003 provided management with the Exchange System Manager. Exchange 2007 provided management with the Exchange Management Console (EMC) and the Exchange Management Shell (EMS).  You were limited as to what you could do based on what Exchange Management Group you were in.

Exchange 2003 administration groups consisted of:

  • Exchange Full Administrator
  • Exchange Administrator
  • Exchange View Only Administrator

Exchange 2007 administration groups consisted of:

  • Exchange Organization Administrators
  • Exchange Recipient Administrators
  • Exchange View-Only Administrators
  • Exchange Public Folder Administrators (New in Exchange Server 2007 Service Pack 1)

Exchange 2010 Management/Permissions Overview

Exchange 2010 provides a much more comprehensive method for allowing granular control over what users have control of what functions. This functionality is provided by a new Role Based Access Control (RBAC) authorization system.  The goal of this system is to provide an easy way to delegate and customize control by granting operations based on role or job function.  For example, you can provide your helpdesk certain abilities to perform the job functions they need in a more granular fashion.

The benefit of RBAC is obvious.  Many Exchange Administrators found themselves in situations where they needed to provide less privileged administrators additional privileges but did not want to add them into an administration group that gave too much control as this would not conform to principle of least privilege.  With RBAC, we can provide this less privileged administrator with the control they need without needing to place this administrator into a group that would provide this administrator with too many unneeded privileges.

The new RBAC model works in all Exchange Management applications; Exchange Management Console, Exchange Management Shell, and the new Exchange Control Panel (ECP). The ECP is a new Management Tool provided in Exchange 2010.  It’s a web based management console that is targeted towards the end user and administrators alike.  It’ll allow end users to do simple things such as modify their phone number, if allowed of course.

Because Exchange 2010 utilized PowerShell 2.0, Exchange now has the ability to take advantage of PowerShell Remoting which allows you to remotely manage your Exchange systems; if that didn’t already seem obvious by the name PowerShell Remoting.

Role Based Access Control (RBAC)

As stated, RBAC is the new authorization system that provides an easy way to delegate and customize control by granting operations based on role or job function.  With RBAC, there are for main important things to note:

  • Management Role – Exchange Security Group that you create.  Help Desk Tier 1, Help Desk Tier 2, Admin Tier 1, Admin Tier 2, etc…
  • Management Role Entries – What each Management Role has access to.  What cmdlets can these Management Roles use?
  • Management Role Assignments – What Security Group and/or user is a Management Role assigned to?
  • Management Role Scopes – What target of users, OUs, servers, filtered objects, etc. do these management roles have access to adminster?

As you can see, this system is really flexible and is definitely welcome. There’s already quite a bit out there on the Technet Library on how this all works, so instead of regurgitating it, I encourage you to go check it out here.


4 Responses to “Exchange 2010 Permissions and Security Groups”

  1. on 23 Apr 2009 at 8:57 pmAlex

    control system security…

    I can’t believe I missed this! I’m going to have to do some more reading me thinks….

  2. on 23 Dec 2009 at 3:18 pmchristian


    I really needed this information thank you so much!…


  3. on 03 Feb 2010 at 12:42 amwes

    Hi Elan, by default users can update phone number/address in OWA/ECP… Do you know how we can adjust things so that they are able to edit other attributes such as Title/Office/etc?


  4. on 04 Feb 2010 at 6:31 pmElan Shudnow

    Wes, you should be able to but I'm not sure offhand. I'm out on vacation for a couple weeks so if you figure it out, I'd appreciate it if you reply back to this with a how. Otherwise, I'll probably try to figure it out as again, it's something I want to know how to do anyways.

Trackback this post | Feed on Comments to this post

Leave a Reply