Exchange 2016 Setup - Exchange Organization
Applies to: Exchange Server
On the Exchange Organization page, type a name for your Microsoft Exchange Server 2016 organization. The Exchange organization name can contain only the following characters:
A through Z
a through z
0 through 9
Space (not leading or trailing)
Hyphen or dash
The organization name can't contain more than 64 characters. The organization name can't be blank.
Exchange gives you the choice of the following permissions models:
Shared permissions The shared permissions model allows administrators using the Exchange management tools to create security principals in Active Directory. It doesn't separate the management of Exchange and Active Directory objects from within the Exchange management tools. This is the default permissions model.
Split permissions Organizations that separate the management of Exchange 2016 objects and Active Directory objects use what's called a split permissions model. Split permissions enable organizations to assign specific permissions and related tasks to specific groups within the organization. This separation of work helps to maintain standards and workflows, and helps to control change in the organization.
If you're interested in split permissions, Exchange 2016 gives you the option of implementing split permissions in two different ways:
RBAC split permissions Permissions to create security principals in the Active Directory domain partition are controlled by Role Based Access Control (RBAC). Only Exchange servers, services, and those who are members of the appropriate role groups can create security principals. For more information, see “RBAC Split Permissions” in Understanding split permissions.
Active Directory split permissions Permissions to create security principals in the Active Directory domain partition are completely removed from any Exchange user, service, or server. No option is provided in RBAC to create security principals. Creation of security principals in Active Directory must be performed using Active Directory management tools. For more information, see “Active Directory Split Permissions” in Understanding split permissions.
Most organizations don’t need to implement a split permissions model. If the administrators in your organization share Active Directory and Exchange management duties, you should use the default shared permissions model. However, if your organization chooses to use a split permissions model instead of shared permissions, we recommend that you use the RBAC split permissions model. The RBAC split permissions model provides significantly more flexibility while providing nearly the same administration separation as Active Directory split permissions, with the exception that Exchange servers and services can create security principals in the RBAC split permissions model.
If, after reading Understanding split permissions, you want to completely separate Active Directory and Exchange management, select Apply Active Directory split permission security model to the Exchange organization. If you want to use shared permissions, or RBAC split permissions, don't select this option.
You can't enable Active Directory split permissions if you've installed Exchange 2016 on a domain controller.
Did you find what you’re looking for? Please take a minute to send us feedback about the information you were hoping to find.