help understanding administrative groups.

Can someone enlighten me how administrative group work. Does it mean you only need only 1 administration group in a single domain and requires another administration group when working with a multiple domain environment?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Claymoore

Exchange 2003 Administrative Groups form boundaries for exchange administration and are independent of domains. You can have multiple administrative groups in a single domain or a single administrative group covering multiple domains.

Understanding Exchange Server 2003 Administrative Models

Administrative groups have been deprecated in 2007 and beyond, although all 2007 are placed in an administrative group (EXCHANGE12ROCKS in a simple ceasar cipher) for 2003 co-existence.

ladiesman217

Hi claymoore thanks for the quick reply.

I'm currently reading the link.

rjbarlow

Claymoore wrote: »

Administrative groups have been deprecated in 2007 and beyond, although all 2007 are placed in an administrative group (EXCHANGE12ROCKS in a simple ceasar cipher) for 2003 co-existence.

Why that? It is better or worst?

Claymoore

rjbarlow wrote: »

Why that? It is better or worst?

IMO, it's definitely an improvement. Administrative groups were designed to help delegate and segregate administration, but they became more of a hindrance than a help. You either had rights to everything, rights to everything in your administrative group, read only rights, or no rights. Even though mailboxes could eventually be moved between administrative groups, servers could not. Combine that with the fact you need at least account operator rights to create mailboxes and you have a case where either you don't have enough permissions to do your job or you have way too many.

A very broad and inflexible rights model doesn't work well with most large organizations. If you exist in a single domain with 1 or 2 Exchange servers and only 1 admin, you probably don't care. But when you start dealing with multiple sites, servers, and political silos it becomes a pain. Now you can grant someone rights to create a mailbox but not administer a server - or vice versa - and that is an improvement.

Exchange 2010 improves this further with customized web-based administrator consoles.

Claymoore

I was catching up on some blog reading when I came across this post by a famous and well-respected member of the Exchange community about the changes in administration coming in 2010.

Exchange 2010 Permissions and Security Groups | Elan Shudnow's Blog