There are more than ten administrators delegated at the organizational level
[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at http://go.microsoft.com/fwlink/?linkid=34707.]
Topic Last Modified: 2006-12-03
The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the number of users who have permissions as either Exchange Administrators or Exchange Full Administrators. The Exchange Server Analyzer counts the number of entries listed in the msExchAdmins attribute, which represents a link to all Exchange administrators within the organization together with the appropriate permissions. If the Exchange Server Analyzer finds there are more than 10 users with Exchange Administrator and/or Exchange Full Administrator permissions, a warning is displayed.
msExchAdmins is a multi-value attribute of the Exchange root organization container. It contains a list of security identifiers (SIDs) that represent the user accounts with delegated Exchange permissions.
It is a best practice to limit the number of users with write access to the Exchange organization. Consider reducing the number of Exchange Administrators and Exchange Full Administrators at the organization level. By reviewing administrative roles against the requirements of your messaging infrastructure, you may find that you can convert many of these users to Exchange View-only Administrators at the organizational level, while delegating to them the Exchange Administrator role at the Administration Group level.
To correct this warning
Consider decreasing the number of users that have Exchange Administrator and/or Exchange Full Administrator permissions.
Consider performing an audit of Exchange Server permissions in your organization to ensure that they are appropriate.
For more information about planning and configuring permissions in Exchange, see:
"Working with Active Directory Permissions in Exchange 2003" (http://go.microsoft.com/fwlink/?LinkId=47592).
Microsoft Exchange Server 2007, Operations "Configuring Permissions" (http://go.microsoft.com/fwlink/?LinkId=78432).
Microsoft Exchange Server 2007, Planning and Architecture, Planning Active Directory "Permission Considerations" (http://go.microsoft.com/fwlink/?LinkId=78433).
For more information about administrative roles in Exchange Server 2003, see the Microsoft Knowledge Base article 823018, "Overview of Exchange Administrative Role Permissions in Exchange 2003" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=823018).
For more information about administrative roles in Exchange 2000 Server, see the Knowledge Base article 289811, "XGEN: Exchange 2000 Role Permissions" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=289811).