Delegating Exchange for the First Time

Exchange delegation is a delicate and complicated topic. Most of the Exchange permissions are granted through access control lists (ACLs) on objects in Active Directory. These permissions in Active Directory can be delegated in a very granular way. Exchange consolidates the permissions into three main layers of delegation called roles:

  • Exchange View Only Administrator allows you to look at the Exchange System.
  • Exchange Administrator allows you to fully administer Exchange Server computer information.
  • Exchange Full Administrator allows you to fully administer Exchange.

Be aware that none of these Exchange Roles give you access rights on user objects themselves. You can be an Exchange Full Administrator and not be able to mailbox-enable a single user. For that, you need to determine what rights you want the Exchange Admins to have on user objects and grant them separately.

Using a graphical user interface

  1. Log on to a machine with an account that is in the initially delegated Exchange Group
  2. Per your corporate standards, create three groups called ExchangeViewAdmins, ExchangeAdmins, and ExchangeFullAdmins. The groups can be any scope.
  3. Open the Exchange System Manager (ESM) snap-in.
  4. In the left pane, right-click on the Organization name (e.g., RALLENCORPMAIL) and select Delegate Control.
  5. On the Welcome screen, click Next.
  6. On the Users and Groups screen, click Add.
  7. On the Delegate Control screen, click Browse.
  8. On the Select Users, Computers, Or Groups screen, type into the text box the name of the group to which you want to delegate Exchange View Admin rights (e.g., RALLENCORP\ExchangeViewAdmins).
  9. Back on the Delegate Control screen, verify that Exchange View Only Administrator is listed in the role drop-down menu and click OK.
  10. Repeat steps 6-9 for ExchangeAdmins and ExchangeFullAdmins, selecting the appropriate permissions in the role drop-down menu.
  11. If you used a group in the root delegation, you may still see one or more accounts listed in the Users and Groups box. Remove these from the list by selecting them and clicking Remove.
  12. Review the list of Users and Groups and click Next. You should have the following groups and roles listed:
    1. ExchangeAdmins with role Exchange Administrator
    2. ExchangeFullAdmins with role Exchange Full Administrator
    3. ExchangeViewAdmins with role Exchange View Only Administrator
  13. On the Completed Wizard screen, click Finish.
  14. Add the accounts of the administrators to the various groups with your favorite group management tool.