Active Directory and Exchange 2003 – Separate Administrators

Pete mailed me after attending a couple of my evening Exchange sessions at Reading and also the event in Birmingham.  Last year, he migrated his internal systems from GroupWise to Exchange 2003.  However, his Technical director was concerned that anyone who has admin rights on the domain can, in theory, give themselves rights to anyone else’s mailbox.   He wondered if there was any way to restrict this right. 


The administrative model prescribed by the default configuration of Microsoft Exchange and Active Directory, may not fit with the security and administrative roles defined by an organisation. For some organisations, the helpdesk-level administrators that create user accounts are not the same administrators that administer mailboxes.  However, the default configuration of Exchange and Active Directory requires that mailbox administrators belong to the “Account Operators” security group, and that members of the “Account Operators” group have read-read access to Exchange objects.

You can configure permissions in Active Directory to correspond to your administrative model.  This granular level of permissioning is referred to as a split permissions model. Chapter 4 of the Working with AD permissions with Exchange guide which explains how to set a split permissions model to your AD organisation and segregate your AD administrators from your Exchange Administrators.