locked
Question about setting up administration for another user RRS feed

  • Question

  • We are completing a migration from Exch 2003 to Exch 2010.  I have a user that runs ADU&C to create contacts and other objects inside of an OU.  My question is how will I set them up to do these same tasks once I have completed the upgrade and have taken my Exch 2003 servers offline?  Originally I installed the admin pack and ESM and delegated authority to the user to perform the needed tasks in 2003, but I am not sure what needs to be done now.  Any help appreciated.   thanks 
    Friday, January 20, 2012 9:35 PM

Answers

  • You can use RBAC - http://technet.microsoft.com/en-us/library/dd298183.aspx

    And you can install the Exchange Management Console/shell on the admin workstations.


    Sukh
    • Marked as answer by Poly Admin Friday, February 3, 2012 7:16 PM
    Friday, January 20, 2012 11:01 PM
  • You can put users in the appropriate Exchange management group, or you can create your own roles and groups using Rules-Based Administrative Control (RBAC).
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    • Marked as answer by Poly Admin Friday, February 3, 2012 7:17 PM
    Monday, January 23, 2012 4:05 PM
    • Marked as answer by Poly Admin Friday, January 27, 2012 7:07 PM
    • Unmarked as answer by Poly Admin Friday, January 27, 2012 7:07 PM
    • Marked as answer by Poly Admin Friday, February 3, 2012 7:17 PM
    Thursday, January 26, 2012 3:27 PM
  • So help me get this straight.  I have:

    1- created a role group ( I needed it scoped to a specific OU and decided not to change
        the recipient role group settings)
    2- added roles to it
    3- added members to the role group
    4- ???  Now what do I do?  Just install the Exchange 2010 Management Tools on the users workstation??


    • Edited by Poly Admin Friday, January 27, 2012 5:59 PM
    • Marked as answer by Poly Admin Friday, February 3, 2012 7:17 PM
    Friday, January 27, 2012 5:58 PM
  • Remote Desktop to a 64-bit machine that has the tools installed.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    • Marked as answer by Poly Admin Friday, February 3, 2012 7:18 PM
    Friday, January 27, 2012 9:10 PM
  • It is when you give users access to a server without making them local administrators.  You can add the user's account to the Remote Desktop Users group on the server so that they can use the Exchange tools but make any server level changes.  

    Obviously they still need to be a member of the Exchange role group as discussed above.

    • Marked as answer by Poly Admin Friday, February 3, 2012 7:18 PM
    Monday, January 30, 2012 7:16 PM

All replies

  • All Exchange 2010 administrative tasks are to be performed with the Exchange Management Shell or the Exchange Management Console.  There are some things users can do through the Exchange Control Panel.  You can certainly develop something like a web application that issues the PowerShell cmdlets for specific tasks.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Friday, January 20, 2012 9:51 PM
  • So are you saying, unlike in Windows 2003 and Exchange 2003 that there is not a set of admin tools like admin.pak that can be installed on a client workstation to allow a person to perform specific delegated tasks??  Come on, give me more.  thanks
    Friday, January 20, 2012 10:38 PM
  • You can use RBAC - http://technet.microsoft.com/en-us/library/dd298183.aspx

    And you can install the Exchange Management Console/shell on the admin workstations.


    Sukh
    • Marked as answer by Poly Admin Friday, February 3, 2012 7:16 PM
    Friday, January 20, 2012 11:01 PM
  • Hi Poly Admin,

    Any updates?

    For more information, please see:

    Install the Exchange 2010 Management Tools

    http://technet.microsoft.com/en-us/library/bb232090.aspx

     


    Frank Wang

    TechNet Community Support

    Monday, January 23, 2012 7:54 AM
  • I am looking into the Exch 2010 Management Tools.  Give me a little time to evaluate it.  What about delegating perms to a user to perform the tasks?
    Monday, January 23, 2012 1:41 PM
  • You can put users in the appropriate Exchange management group, or you can create your own roles and groups using Rules-Based Administrative Control (RBAC).
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    • Marked as answer by Poly Admin Friday, February 3, 2012 7:17 PM
    Monday, January 23, 2012 4:05 PM
  • Can you elaborate on putting the user in the appropriate Exch management group or give me an article to reference?  thanks
    Thursday, January 26, 2012 2:35 PM
    • Marked as answer by Poly Admin Friday, January 27, 2012 7:07 PM
    • Unmarked as answer by Poly Admin Friday, January 27, 2012 7:07 PM
    • Marked as answer by Poly Admin Friday, February 3, 2012 7:17 PM
    Thursday, January 26, 2012 3:27 PM
  • If you don't want to modify the default roles then "Recipient Management" will probably suit your delegation needs best.
    Thursday, January 26, 2012 3:46 PM
  • I am looking at all of this.  A little overwhelming.  My user needs to be able to create contacts, users, and groups.  It was so easy to setup in Windows 2003/Exchange 2003. 
    Thursday, January 26, 2012 8:49 PM
  • The recipient role group should be enough.
    Sukh
    Thursday, January 26, 2012 9:09 PM
  • So help me get this straight.  I have:

    1- created a role group ( I needed it scoped to a specific OU and decided not to change
        the recipient role group settings)
    2- added roles to it
    3- added members to the role group
    4- ???  Now what do I do?  Just install the Exchange 2010 Management Tools on the users workstation??


    • Edited by Poly Admin Friday, January 27, 2012 5:59 PM
    • Marked as answer by Poly Admin Friday, February 3, 2012 7:17 PM
    Friday, January 27, 2012 5:58 PM
  • Correct, just install that component from the DVD.  There are some prerequisites for Windows 7 machines, see: technet.microsoft.com.

    If they use powershell or the Exchange console the commands and functions available to them are the same.

    Friday, January 27, 2012 6:08 PM
  • If you want to scope then you have to create copy you cant change the default write scope on the builtin groups.

    Either users can use the EMC or the EMS.


    Sukh
    Friday, January 27, 2012 6:47 PM
  • Ok, let me install the Exch 2010 Mgmt Tools on the users workstation and verify that it works before closing this one out.
    Friday, January 27, 2012 7:08 PM
  • Problem #9999

    My user that needs to perform these admin tasks is using a 32-bit Windows 7 system.  I forgot this stuff is all 64-bit.  Can I download the management tools in 32-bit version?  What options do I have other than finding her another system that is 64-bit?  thanks

    Friday, January 27, 2012 9:06 PM
  • Remote Desktop to a 64-bit machine that has the tools installed.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    • Marked as answer by Poly Admin Friday, February 3, 2012 7:18 PM
    Friday, January 27, 2012 9:10 PM
  • Yeah yeah, I've already researched it and cried a little.  No 32-bit mgmt tools.   I will most likely setup a 64-bit system for her.

    We don't have a lot of 64-bit systems in place.  Nothing has the tools installed other than the Exchange server itself.

    Friday, January 27, 2012 9:38 PM
  • How would you feel about letting her remote desktop to the Exch 2010 server and run the tools?  She should only have the permissions I have delegated to her based on her login.  Are there some other issues that I should consider?
    Monday, January 30, 2012 3:42 PM
  • not really, lock down the perms, give RDP access only, EMC should be locked down as per RBAC permissions.
    Sukh
    Monday, January 30, 2012 3:50 PM
  • ok.  what do you mean by RDP access only?
    Monday, January 30, 2012 5:28 PM
  • It is when you give users access to a server without making them local administrators.  You can add the user's account to the Remote Desktop Users group on the server so that they can use the Exchange tools but make any server level changes.  

    Obviously they still need to be a member of the Exchange role group as discussed above.

    • Marked as answer by Poly Admin Friday, February 3, 2012 7:18 PM
    Monday, January 30, 2012 7:16 PM
  • Ok.

    I know in Exch 2003 I had to put the user (actually group) in the local admins group for the users to have the permissions needed to add mailboxes, etc.  Apparently that is not required in Exch 2010, which is a good thing.

    So if I have completed the setup of the role group stuff, and I want to let her remote into the Exch 2010 server and run the tools from there, all I need to do is add them to the Remote Desktop users group and test it?

    Monday, January 30, 2012 8:22 PM
  • Correct.

    Monday, January 30, 2012 8:24 PM
  • I just set everything up and tested it by logging in as the other user and created a couple Contacts and made some changes to their properties, etc.  It appears it is working exactly like you guys said it would.  I tried to modify an object in another OU and got an access denied message.  Thanks for your help on this.  I will be marking some answers to this question.  thanks
    Friday, February 3, 2012 7:16 PM