Monitoring and Managing Microsoft Exchange Server 2003

The persons who should be granted permissions for Exchange objects need to be clearly defined in any corporate messaging environment. Assignment of Exchange permissions and roles should be carefully considered, and periodic audits should be conducted to review the list of individuals who hold Exchange permissions.
Any reasonably sized Exchange network is not managed by a single person but rather by a group of people who have been granted the necessary privileges to modify the contents of the Microsoft Exchange directory and components. The purpose of this section is to explain how permissions work in the Microsoft Exchange Administrator program.
Having defined roles for corporate messaging architects, messaging system managers, directory services managers, messaging system backup operators, administrators, and the help desk makes it necessary to grant the appropriate access rights to implement these roles. Specific rights and permissions are required to perform each of these roles. The type and breadth of tasks that can be performed by the administrator can be tailored by varying both the permission types and the objects to which the permissions apply. Granting excessive rights creates problems by allowing too many people to have access to potentially destructive features. Appropriate and carefully controlled assignment of rights and permissions will allow management and administrative tasks to be carried out productively without jeopardizing system security.
Permissions for Exchange are based on the Windows permission model. The Active Directory is the primary data structure for Exchange, and managing Exchange really means...