Exchange 2010 Permissions and Security Groups

Exchange 2010 most definitely brings in some new features to allow for a more intuitive and granular administrative experience in terms of how you allow and/or disallow administration from a permissions perspective.  But to understand why Exchange 2010 management was designed the way it was, let's take a brief history lesson.

Management History

Exchange 2003 provided management with the Exchange System Manager. Exchange 2007 provided management with the Exchange Management Console (EMC) and the Exchange Management Shell (EMS).  You were limited as to what you could do based on what Exchange Management Group you were in.

Exchange 2003 administration groups consisted of:

  • Exchange Full Administrator
  • Exchange Administrator
  • Exchange View Only Administrator

Exchange 2007 administration groups consisted of:

  • Exchange Organization Administrators
  • Exchange Recipient Administrators
  • Exchange View-Only Administrators
  • Exchange Public Folder Administrators (New in Exchange Server 2007 Service Pack 1)

Exchange 2010 Management/Permissions Overview

Exchange 2010 provides a much more comprehensive method for allowing granular control over what users have control of what functions. This functionality is provided by a new Role Based Access Control (RBAC) authorization system.  The goal of this system is to provide an easy way to delegate and customize control by granting operations based on role or job function.  For example, you can provide your helpdesk certain abilities to perform the job functions they need in a more granular fashion.

The benefit of RBAC is obvious.  Many Exchange Administrators found themselves in situations where they needed to provide less privileged administrators additional privileges but did not want to add them into an administration group that gave too much control as this would not conform to principle of least privilege.  With RBAC, we can provide this less privileged administrator with the control they need without needing to place this administrator into a group that would provide this administrator with too many unneeded privileges.

The new RBAC model works in all Exchange Management applications; Exchange Management Console, Exchange Management Shell, and the new Exchange Control Panel (ECP). The ECP is a new Management Tool provided in Exchange 2010.  It's a web based management console that is targeted towards the end user and administrators alike.  It'll allow end users to do simple things such as modify their phone number, if allowed of course.

Because Exchange 2010 utilized PowerShell 2.0, Exchange now has the ability to take advantage of PowerShell Remoting which allows you to remotely manage your Exchange systems; if that didn't already seem obvious by the name PowerShell Remoting.

Continue at source

Posted: 20 Apr 2009 2:21 AM by Sander van den Burg | with no comments
Filed under: