Part 1 - I used to do it this way… Now how do I do it? Administering Exchange 2003 vs. Exchange 2007

A while ago I ran across an article by Andrea Fowler on TechNet entitled: Then and Now: Comparing Management Tasks in Exchange Server 2003 and Exchange Server 2007.

This lead to me creating a presentation for my customer on this.  Normally a lot of the work that I have done for my customers ends up here on this blog.  I took a break from posting here because of the cool stuff that I wanted to post here was not public yet and required to much effort to decide what could and couldn’t be shared.  But this is all public information so lets get started…

Delegating Server Administration

In Exchange 2003, you used the Exchange Administration Delegation wizard to grant administrative permissions to a user or group.

The old way from the ESM (Exchange System Manager):

You had 3 options (Exchange Full Administrator, Exchange Administrator, and Exchange View Only Administrator):


Exchange 2007 provides the ability for Exchange administrators to delegate administrative and management responsibility for a server to an individual or group of individuals when it operates in a distributed operations management scenario.

You can do it from the EMC (Exchange Management Console):


Or you can do it from the EMS (Exchange Management Shell) using Add-ExchangeAdministrator

-Identity <SecurityPrincipalIdParameter>

-Role <OrgAdmin | RecipientAdmin | ServerAdmin | ViewOnlyAdmin | PublicFolderAdmin>

[-Scope <String>]

This example below gives the user with the alias JSnake the role of Exchange Server Administrator on the server TestHub01.image


Whoa…  5 choices for administrator roles?  Cool.  What do they mean?

Exchange Organization Administrators role have the highest level of permissions in the Exchange organization. All tasks that affect your whole Exchange organization will require membership in this group. Examples of tasks that require Exchange Organization Administrator permissions include creating or deleting connectors, changing server policies, and changing any global configuration settings.

Users who are members of the Exchange Recipient Administrators role will not have permissions to Domains where Setup /PrepareDomain has not been run. When you add a new Exchange domain, make sure that you run Setup /PrepareDomain in the new domain to grant permissions to the Exchange administrator roles in that domain.

The Exchange Server Administrators role has access to only local server Exchange configuration data, either in the Active Directory or on the physical computer on which Exchange 2007 is installed. Users who are members of the Exchange Server Administrators role have permissions to administer a particular server, but do not have permissions to perform operations that have global impact in the Exchange organization.

The Exchange View-Only Administrators role has read-only access to the whole Exchange organization tree in the Active Directory configuration container, and read-only access to all the Windows domain containers that have Exchange recipients.

The Exchange Public Folder Administrators role has administrative permissions to manage all the public folders. This administrator role is granted the "Create top level public folder" extended right. Members of this role can create and delete public folders, and manage public folder settings such as replicas, quotas, age limits, administrative permissions, and client permissions. This administrator role can mail-enable public folders, but it cannot modify mail recipient-related properties on public folders, such as proxy addresses. That capability requires membership in the Exchange Recipient Administrators role.


The table above tells you the different roles and the members of them as well as their permissions.

Next: Part 2 – Synchronizing Public Folder hierarchy replication in 2003 vs. 2007