Server Installation and Administration Delegation in Exchange Server 2007
Published Dec 04 2006 01:10 PM 2,239 Views

NOTE: This article has also been published in the official Exchange 2007 documentation.  For Server Provisioning, see http://technet.microsoft.com/en-us/library/bb201741.aspxFor Server Delegation, see http://technet.microsoft.com/en-us/library/bb331957.aspx.  We recommend that you check the documentation for the most up-to-date version.

In previous versions of Exchange, permission delegation was limited to two levels: the organization and the administrative group. In certain environments, this meant that administrative groups were created just to house single Exchange servers for the purposes of ensuring the server administrator did not have privileged rights on other Exchange servers.

In Exchange 2007, the administrative group model has been delegated. As a result, Exchange administrators now have additional flexibility in that they can now assign administrative control at the server level, in addition to assigning permission for server installation.

Server Installation Delegation

New to Exchange 2007 is the ability for an Exchange administrator to delegate the server installation. The administrator does this by using a special set of setup commands that provisions the server object within the configuration partition and grants the installation account the necessary rights to perform the rest of the installation on the actual server.

Note: Delegation of the first instance of Exchange 2007 server role into an Exchange organization is not supported. The first instance of each server role must be installed by an account that has the Exchange Organization Administrator role.

The server delegation process will perform the following actions:

  • Create the server object within the configuration partition: CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Root Domain>
  • Add the following Access Control Entries to the server object within the configuration partition for the delegated account:
    • Full Control  on the server object and its children.
    • Deny access control entry for the Send As extended right.
    • Deny access control entry for the Receive As extended right.
  • The delegated account is added to the membership of the Exchange Organization View-Only Administrators role.

Note: The account that is delegated the right to install Exchange 2007 is also granted the Exchange Server Administrator role (see the next section for more information).

Server Provisioning Procedure

1. Log onto a server that has an Exchange 2007 role installed (excluding Edge Server) using an account that is a member of the Exchange Organization Administrators group.

a. Using Active Directory Users & Computers snap-in, create the computer account for which we will be delegating server installation in the appropriate Organizational Unit (if the server object does not already exist).

b. Open a command prompt.

    • i. Navigate to the Exchange Binary folder (default location is %program files%\microsoft\Exchange Server\Bin).
    • ii. Enter in the following command: exsetup /NewProvisionedServer:<ServerName.fqdn> /ServerAdmin <domain\account>

2. Allow time for Active Directory replication.

Note: Also ensure the delegated account is a member of the local administrators group on the server in question.

3. Now have the <domain\account> that was specified in the previous step log in and then launch the Exchange 2007 setup GUI (or use the command line setup interface) to install the Exchange 2007 roles.

De-Provisioning a Server

Exchange 2007 Setup can also be used to de-provision a server object. This process removes the provisioned server object from the configuration partition.

Server De-Provisioning Procedure

1. Log onto a server that has an Exchange 2007 role installed, using an account that is a member of the Exchange Organization Administrators group.

a. Open a command prompt.

    • i. Navigate to the Exchange Binary folder (default location is %program files%\microsoft\Exchange Server\Bin).
    • ii. Enter in the following command: exsetup /RemoveProvisionedServer:<ServerName.fqdn>

2. Allow time for Active Directory replication.

Server Administration Delegation

Exchange 2007 provides the ability for Exchange administrators to delegate administrative/management responsibility for a server to an individual or group of individuals when operating in a distributed operations management scenario.

The Exchange Server Administrators role has access to only local server Exchange configuration data, either in the Active Directory or on the physical computer on which Exchange 2007 is installed. Users who are members of the Exchange Server Administrators role have permissions to administer a particular server, but do not have permissions to perform operations that have global impact in the Exchange organization.

When you delegate a user or group the Exchange Server Administrator role, that user or group is assigned permissions such that the user or group is owner of all local server configuration data. As owners, the server administrator has full control over the local server configuration data on the server object within the configuration partition and is assigned the following permissions:

  • The following Access Control Entries are granted to the delegated account on the server object within the configuration partition:
    • Full Control on the server object and its children. 
    • Deny access control entry for the Send As extended right. 
    • Deny access control entry for the Receive As extended right. 
    • Deny CreateChild and DeleteChild access rights for Exchange Public Folder Store objects (public folders are an organizational responsibility and thus the creation and/or deletion of public folder stores is restricted to Exchange Organization Administrators).
  • The delegated account is added automatically to the server’s local administrator group on the computer on which Exchange is installed.
  • The delegated account is added to the membership of the Exchange Organization View-Only Administrators role.

Delegation of server administration can be performed either through the Exchange Management Console or the Exchange Management Shell. The task that is used by both is Add-ExchangeAdministrator.

Exchange Management Console Procedure

1. Log onto a server that has the Exchange Management Console installed using an account that is a member of the Exchange Organization Administrators group.

2. Open the Exchange Management Console.

3. Navigate to the Organization Node.

4. Click on the Add Exchange Administrator action.

b. Click the Browse button and select the user or group that you want to delegate control.

c. Choose the Exchange Server Administrator role radial button.

d. Click Add and select the servers to which you want to delegate control.

e. Click Add to implement the change.

f. Verify that the delegation was successful and click Finish.

Exchange Management Shell Procedure

1. Log onto a server that has the Exchange Management Console installed using an account that is a member of the Exchange Organization Administrators group.

2. Open the Exchange Management Shell.

3. Type in the following command where “domain.com/Users/” is the location within the Active Directory of the object that will be given the rights and “Server Admin” is the object:

a. Add-ExchangeAdministrator -Identity:“domain.com/Users/Server Admin” -Role:ServerAdmin -Scope:<Exchange Server Name>

b. Verify the task completed successfully.

- Ross Smith IV

Version history
Last update:
‎Jul 01 2019 03:21 PM
Updated by: