Exchange Server Security Groups

Like Exchange Server 2007, Exchange Server 2010 uses predefined universal security groups to separate administration of Exchange permissions from administration of other permissions. When you add an administrator to one of these security groups, the administrator inherits the permissions permitted by that role.

The predefined security groups have permissions to manage the following types of Exchange data in Active Directory:

• Organization Configuration node This type of data is not associated with a specific server and is used to manage databases, policies, address lists, and other types of organizational configuration details.

• Server Configuration node This type of data is associated with a specific server and is used to manage the server’s messaging configuration.

• recipient Configuration node This type of data is associated with mailboxes, mail-enabled contacts, and distribution groups.

In Exchange Server 2010, databases have been moved from the Server Configuration node to the Organization Configuration node. this change was necessary because the Exchange schema was flattened and storage groups were removed. As a result of these changes, all storage group functionality has been moved to the database level.

The predefined groups are as follows:
• Delegated Setup Members of this group have permission to install and uninstall Exchange on provisioned servers.

• Discovery Management Members of this group can perform mailbox searches for data that meets specific criteria.

• Exchange all hosted Organizations Members of this group include
hosted organization mailbox groups. This group is used to apply Password
Setting objects to all hosted mailboxes.

• Exchange Servers Members of this group are Exchange servers in the
organization. This group allows Exchange servers to work together.

• Exchange trusted Subsystem Members of this group are Exchange servers that run Exchange cmdlets using WinRM. Members of this group have permission to read and modify all Exchange configuration settings as well as user accounts and groups.

• Exchange Windows permissions Members of this group are Exchange servers that run Exchange cmdlets using WinRM. Members of this group have permission to read and modify user accounts and groups.

• ExchangelegacyInterop Members of this group are granted send-to and receive-from permissions, which are necessary for routing group connections between Exchange Server 2010 and Exchange Server 2003. Exchange Server 2003 bridgehead servers must be made members of this group to allow proper mail flow in the organization.

• Help Desk Members of this group can view any property or object within the Exchange organization and have limited management permissions, including the right to change and reset passwords.

• Hygiene Management Members of this group can manage the antispam and antivirus features of Exchange.

• Organization Management Members of this group have full access to all Exchange properties and objects in the Exchange organization.

• Public Folder Management Members of this group can manage public folders and perform most public folder management operations.

• Recipient Management Members of this group have permissions to modify Exchange user attributes in Active Directory and perform most mailbox operations.

• Records Management Members of this group can manage compliance features, including retention policies, message classifications, and transport rules.

• Server Management Members of this group can manage all Exchange servers in the organization but do not have permission to perform global operations.

• UM Management Members of this group can manage all aspects of unified messaging, including unified messaging server configuration and unified messaging recipient configuration.

• View-Only Organization Management Members of this group have read-only access to the entire Exchange organization tree in the Active Directory configuration container and read-only access to all the Windows domain containers that have Exchange recipients.

Source of Information : Microsoft Press - Exchange Server 2010 Administrators Pocket Consultant