We would like to welcome Mr.Nicolas Blank, as he presents his first article about Exchange Servers to MessagingTalk.org readers.

In this article, you will learn how to control object visibility, including servers, routing groups, admin groups, etc, i.e. make objects disappear for certain users within Exchange System Manager.

Introduction

The scenario that I’m working under is that I have a semi-trusted user who needs access to Exchange System Manager (ESM), either 2000 or 2003 versions. I have run the Delegate Control Wizard and made this person an Exchange View Only Administrator or an Exchange Administrator.

I would like to manipulate permissions to deny rights at a very detailed level, and I know that I am able to view permissions on more objects than usual by enabling the HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin\ShowSecurityPage registry key; however I am still denied a greater level of granularity in the Exchange System Manager MMC.



Note: Creating a DWORD value called ShowSecurityPage under the HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin\ registry path will expose the security pages for nearly every object that isn’t a container object. If this key is not present or set to 0 security is only visible on, Address Lists, Global Address Lists, Databases (Mailbox stores and Public Folder stores) and  Top Level Public Folder Hierarchy. See KB 259221 for details. Applies to Exchange 2000 and 2003.

For Example: I’d like to hide the Global Settings Tab from my Helpdesk user or group. However Right Clicking on the Global Settings object in ESM does not display object properties, including the security tab. Some other things I’d like to hide are Routing Groups and the Public Folder container – called Folders in ESM – from the helpdesk ESM view. For this level of rights management I can use a third party application, or I can get one for free – ADSIEDIT. Bear in mind that you get what you pay for. ADSIEDIT will do the job, but it doesn’t offer any of the features of a commercial tool, such as auditing, reporting and most importantly rollback to name a few.

If you don’t have ADSIEDIT install a copy by running setup in the Support Tools Directory on your Server 2000 or 2003 installation CD. I’m going to be using ADSIEDIT from Server 2003 Support Tools.

Start ADSIEDIT by clicking on Start, Run, type ADSIEDIT.MSC and hit Enter.




Find your Configuration Container. By clicking on the + sign next to the containers browse to Configuration, Services, Microsoft Exchange.
 If you have Microsoft Active Directory Connector (ADC) installed two containers will be visible underneath the Microsoft Exchange Container:
Active Directory Connections and
Your Exchange Organization Name – Mine is E2K3Target.Expand the Exchange org container – Global Settings Becomes Visible. Right Click on Global Settings, click Properties and click on the Security tab.

The Access Control List (ACL) for this container becomes visible, i.e the list of permissions and to whom they apply as they pertain to this object.
Permissions that are inherited are the Grey tick boxes. It would be a good idea to  LEAVE THOSE ALONE, unless you have a really good idea of what you are doing, you have a working backup and you’re testing this in a lab first.To re-iterate what were trying to achieve – we want to deny the helpdesk operator – who logs in as Helpdesk – visibility to a number of objects. The Global Settings container is one of them.

Click Add, using the object picker that appears chose the user or group you are targeting and click OK. The user appears in the list. Since the user or group has permissions onto the Exchange Organization – I mentioned earlier that I had run the Delegate Control wizard – the Read permission is inherited for this object. Without un-ticking the inherited permission, tick the Deny box for the Read permission and click OK.
Global Settings has just disappeared out of my Helpdesk users Exchange System Manager view. Remember to wait for replication to happen if this isn’t instant.
Expanding CN=Administrative Groups reveals the various administrative groups, i.e. First Administrative Group, etc. Expanding those in turn reveals a number of interesting containers. Note that most of the objects at this level are container objects with one or more child objects. This means that all or some of these may be hidden using the same method described above on the Global Settings Container or particular objects such as particular servers may be cherry picked. This does allow a customizable ESM view to be built for each area of responsibility. A customized help desk role may include visibility of a regional server with its associated protocol stacks or just the SMTP stack with queue management and nothing more….
 
Applying the Deny Read right on Folder Hierarchies and  Routing Groups reveals the following view to the Helpdesk users ESM – the Administrators view is contrasted in another MMC alongside.



A note of caution:

In order to achieve what I’m describing, Exchange Full Admin Rights are required at minimum. Also, if rights management at this level is totally new, I would suggest reading the article a few times to ensure familiarity with the subject material. Working with the tools discussed is very much like working with the registry, except you could conceivably kill mail for your company. Understand what needs to be accomplished, lab it first to ensure predictable results, and document every step. If you have third party AD management tools that offer auditing, switch these on, and document every step, allowing you to know what to reverse if something breaks. Idly meddling with rights and ticking or UN-ticking things like inheritance at the wrong level, can conceivably break things like mail flow, mail delivery, users opening mailboxes/public folders, etc. Handle with care, document, lab it first, and if possible do the changes with software or a script that you have tested before and offers you a rollback path.

Article originally published on Outlookexchange.com

Discuss this in