Windows 7 / Getting Started

Shared Versus Split Permissions Models

Both AD and Exchange Server environments require administrators with specialized knowledge to administer them. In some organizations, the responsibility for managing these two environments is shared by the same personnel. Other organizations have separate departments for managing AD and Exchange Server.

Exchange Server 2010 enables organizations to use either a shared permissions or a split permissions model. By default, the shared permissions model is deployed.

Shared Permissions Model

Organizations that want to use a shared permissions model don't need to change anything because this is the default model used in Exchange Server 2010. There is no separation of the management of Exchange Server and AD objects from within the Exchange Server management tools: the Exchange Management Console, the Exchange Management Shell, or the Exchange Control Panel (introduced later in this tutorial). Administrators using these tools can create security principles in AD and manage the configuration of those objects in Exchange Server.

Split Permissions Model

In the split permissions model, a distinction is made between the creation of security principals in AD (such as users and security groups) and the configuration of those objects.

Proper implementation of a split permissions model allows organizations to minimize the risk of unauthorized access to the network by limiting the ability to create objects to a small group of authorized personnel.

Using this model, one group of administrators (AD admins) can create security principals in AD, whereas another (Exchange Server admins) can manage specific attributes on existing AD objects.

Organizations desiring to implement a split permissions model should give serious thought as to whether this model will truly work in their environment. Under this model, AD admins need to create new users but cannot configure the Exchange Server attributes on the objects. Exchange Server admins can configure the attributes but cannot create new accounts. Under the split permissions model, Exchange Server admins can no longer use any of the following cmdlets:

  • New-Mailbox or Remove-Mailbox
  • New-MailUser or Remove-MailUser
  • New-MailContact or Remove-MailContact
  • New-LinkedUser or Remove-LinkedUser
  • Add-MailboxPermission
  • Add-MailboxFolderPermission

Exchange Server admins can still create and manage Exchange Server-specific objects, such as transport rules, distribution groups, and so on.

[Previous] [Contents] [Next]

In this tutorial:

  1. Administering an Exchange Server
  2. Role Based Access Control
  3. Shared Versus Split Permissions Models
  4. Configuring Exchange Server 2010 for Split Permissions
  5. Administrative Tools
  6. Exchange Management Console
  7. Exchange Management Shell Command Log
  8. Exchange Control Panel
  9. Performing Common Tasks
  10. Creating Multiple Mailboxes in the Exchange Management Shell
  11. Understanding Distribution Groups
  12. Dynamic Distribution Groups
  13. Managing Distribution Groups
  14. Creating Mail Contacts
  15. Managing Disconnected Mailboxes
  16. Moving Mailboxes
  17. Recipient Configuration
  18. Mail Flow Settings
  19. Mailbox Features
  20. Managing Email Addresses
  21. Understanding Archiving
  22. Enabling Archiving on a Mailbox
  23. Using the Exchange Server 2010 Toolbox
  24. Public Folder Management Console
  25. Mail Flow Troubleshooter
  26. Routing Log Viewer
  27. Exchange Server Coexistence
  28. Server Administration
  29. Setting Limits on Databases