Setting Administrator Permissions for the Edge Transport Server Role
Applies to: Exchange Server 2010
This topic provides an overview of the permissions that a user must have to administer a computer that has the Microsoft Exchange Server 2010 Edge Transport server role installed.
Edge Transport Server Role Permissions
The Edge Transport server role is deployed in an organization's perimeter network, which is also known as the boundary network or screened subnet. The Edge Transport server can be deployed as a stand-alone server or as a member of a perimeter Active Directory domain.
When the Exchange 2010 Edge Transport server role is installed, no Exchange-specific groups are created. The Administrators local group is granted full control of the Edge Transport server. The Administrators local group control includes the instance of Active Directory Lightweight Directory Services (AD LDS) on the Edge Transport server. When you log on by using an account that has Administrators local group membership, you can modify the server configuration, the status of queues and messages in transit, the security configuration of the server, and AD LDS data.
You perform remote administration of Edge Transport servers by using Microsoft Windows Terminal Services. The Administrators local group is automatically granted remote logon permissions. Other user accounts must have membership in the Remote Desktop Users local group to log on to the server by using a remote desktop connection. We recommend that you create a specific user account for each user who administers an Edge Transport server. You must add these user accounts to the Administrators local group to make sure that the correct access level is granted.
Permissions That Are Required to Administer the Edge Transport Server
The following table lists the common administrative tasks that are performed on the Edge Transport server and the group memberships that are required to complete each task successfully. You can use this information to delegate server administration.
Administrative tasks and group membership requirements
Task | Required group membership |
---|---|
Backup and restore |
Backup Operators |
Enable and disable agents |
Administrators |
Configure connectors |
Administrators |
Configure anti-spam policies |
Administrators |
Configure IP Block lists and IP Allow lists |
Administrators |
View queues and messages |
Users |
Manage queues and messages |
Administrators |
Create an Edge Subscription file |
Administrators |