| Home | Kaiming |
Delegation
Single Exchange 2007 server (EX64) with public folder database
Default Exchange Administrator Roles
Default Universal Groups in Active Directory
Get-Group -Identity Exchange* | fl Name,Members,GroupType,identity
Name : Exchange Servers
Members : {Exchange Install Domain Servers, EX64}
GroupType : Universal, SecurityEnabled
Identity : east.com/Microsoft Exchange Security Groups/Exchange Servers
Name : Exchange Organization Administrators
Members : {Administrator}
GroupType : Universal, SecurityEnabled
Identity : east.com/Microsoft Exchange Security Groups/Exchange Organization Administrators
Name : Exchange Recipient Administrators
Members : {Exchange Organization Administrators}
GroupType : Universal, SecurityEnabled
Identity : east.com/Microsoft Exchange Security Groups/Exchange Recipient Administrators
Name : Exchange View-Only Administrators
Members : {Exchange Public Folder Administrators, Exchange Recipient Administrators}
GroupType : Universal, SecurityEnabled
Identity : east.com/Microsoft Exchange Security Groups/Exchange View-Only Administrators
Name : Exchange Public Folder Administrators
Members : {Exchange Organization Administrators}
GroupType : Universal, SecurityEnabled
Identity : east.com/Microsoft Exchange Security Groups/Exchange Public Folder Administrators
Name : ExchangeLegacyInterop
Members : {}
GroupType : Universal, SecurityEnabled
Identity : east.com/Microsoft Exchange Security Groups/ExchangeLegacyInterop
Name : Exchange Install Domain Servers
Members : {EX64}
GroupType : Global, SecurityEnabled
Identity : east.com/Microsoft Exchange System Objects/Exchange Install Domain Servers
Mixed environment
Three Exchange Servers:
Paula: Exchange 2003
Ex20071 and Ex20072 are Exchange 2007
Add-ExchangeAdministrator -Identity 'work.com/Rogers OU/Michelle McDonald' -Role 'ServerAdmin' -Scope 'EX20072'
Add-ExchangeAdministrator -Identity 'work.com/Rogers OU/Michelle McDonald' -Role 'ServerAdmin' -Scope 'EX20071'
To fully administer exchange server ex20071, you need to manually add the user or group 'work.com/Rogers OU/Michelle McDonald' to the built-in local administrators group on server 'EX20071'
To fully administer exchange server ex20072, you need to manually add the user or group 'work.com/Telus OU/Rob Prince' to the built-in local administrators group on server 'EX20072'.
How to understand the Exchange Administrator Roles?
From Exchange Management Console:
get-group exchange* | fl name,members
Name : Exchange Domain Servers
Members : {PAULA}
Name : Exchange Enterprise Servers
Members : {Exchange Domain Servers}
Name : Exchange Servers
Members : {EX20072, Exchange Install Domain Servers, EX20071}
Name : Exchange Organization Administrators
Members : {kaiming}
Name : Exchange Recipient Administrators
Members : {Exchange Organization Administrators}
Name : Exchange View-Only Administrators
Members : {Rob Prince, Exchange Public Folder Administrators, Exchange Recipient Administrators}
Name : Exchange Public Folder Administrators
Members : {Exchange Organization Administrators}
Name : ExchangeLegacyInterop
Members : {PAULA}
Name : Exchange Install Domain Servers
Members : {EX20072, EX20071}
Installing Exchange 2007 in Houston child will add the computer name of Exchange Server to the member of Exchange Servers universal group, which exists only in root domain. The replication across domains will take longer time than replication within a domain. The worse scenario is that the WAN connection is down. When you complete the exchange 2007 setup at Houston domain, the exchange services may not start because the Exchange Servers membership has not been replicated yet.
After you run setup /prepareDomain, the Exchange Install Domain Servers global group is added to the member of Exchange Servers group. The replication is completed.
At the end of Exchange 2007 setup, even though you have replication issues, Exchange service can start without problems because the Exchange computer name is also added to Exchange Install Domain Servers global group.
How to understand the split permissions (Exchange permissions and Active Directory permissions)?
All these Exchange roles are for Exchange properties and objects.
From AD Users and Computers--no exchange properties
From Exchange Management Console, exchange properties show:
In a mixed environment, use AD users and computers for Mailboxes that are hosted on Exchange 2000/2003 server. Don’t use the tool for Exchange 2007 server.
System Manager – 2003
Exchange Management Console –2007
Always manage Exchange 2007 mailboxes with EMC or EMS. Don’t edit Exchange 2007 mailboxes from AD Users and Computers in Mixed environment;
You can edit, remove, or move Exchange 2003 mailboxes with EMC or EMS, but do not attempt to create a mailbox on an Exchange 2003 server with EMC or EMS;
Always use the Exchange 2007 move mailbox feature (or the Move-Mailbox shell command) to move mailboxes to Exchange 2007;
Recipient Scope
Create Filter
OR operator –filter expressions apply to the same attribute (Company).
AND operator –Filter expressions apply to different attributes (Company and Department)
Disable-Mailbox -Identity "Chris Olga"
Confirm
Are you sure you want to perform this action?
Disabling Mailbox "Chris Olga" will remove the Exchange properties from the Windows user object and mark the mailbox in the database for removal. [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
Remove-Mailbox -Identity "Jane Tony Love"
Confirm
Are you sure you want to perform this action?
Removing the Mailbox "Jane Tony Love" will remove the Windows user object and mark the mailbox in the database for removal. [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):