Tài liệu Module 3: Administering Microsoft Exchange 2000 pptx

Instructor Notes This module provides students with the information necessary to assign administrative roles to users and groups, grant and delegate permissions to administrators, use ad

Contents

Overview 1

Overview of the Administrative Utilities 2

Introduction to Exchange System Manager 4

Managing Administrative Security 9

Lab A: Creating a Mail-enabled User

Using Exchange 2000 System Policies 39

Administering Exchange 2000 Address

2000

with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, Active Directory, BackOffice, Jscript, NetMeeting, Outlook, Windows, and Windows

NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

Other product and company names mentioned herein may be the trademarks of their respective owners

Program Manager: Steve Thues

Product Manager: Megan Camp

Instructional Designers: Bill Higgins (Volt Technical), Jennifer Morrison, Priya Santhanam

(NIIT (USA) Inc), Samantha Smith, Alan Smithee

Instructional Software Design Engineers: Scott Serna

Subject Matter Experts: Krista Anders, Megan Camp, Chris Gould (Global Logic Ltd),

Janice Howd, Elizabeth Molony, Steve Schwartz (Implement.Com), Bill Wade (Wadeware LLC)

Technical Contributors: Karim Batthish, Paul Bowden, Kevin Kaufman, Barry Steinglass,

Jeff Wilkes

Graphic Artist: Kimberly Jackson (Independent Contractor)

Editing Manager: Lynette Skinner

Editor: Kelly Baker

Production Manager: Miracle Davis

Build Manager: Julie Challenger

Production Support: Marlene Lambert (Online Training Solutions, Inc)

Test Manager: Eric Myers

Courseware Testing: Robertson Lee (Volt)

Creative Director, Media/Sim Services: David Mahlmann

Web Development Lead: Lisa Pease

CD Build Specialist: Julie Challenger

Localization Manager: Rick Terek

Operations Coordinator: John Williams

Manufacturing Support: Laura King; Kathy Hershey

Lead Product Manager, Release Management: Bo Galford

Lead Product Manager, Messaging: Dave Phillips

Group Manager, Courseware Infrastructure: David Bramble

Group Product Manager, Content Development: Dean Murray

General Manager: Robert Stewart

Instructor Notes

This module provides students with the information necessary to assign administrative roles to users and groups, grant and delegate permissions to administrators, use administrative groups to manage administrative permissions, and create system policies to manage Microsoft® Exchange 2000

objects

After completing this module, students will be able to:

! Describe the utilities that you can use to modify the Active Directory™ directory service

! Describe the main components of Exchange System Manager that are used

! Create and apply system policies and secure system policy creation

! Create, configure, and update address lists in Exchange 2000

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach this module

Required Materials

To teach this module, you need the following materials:

! Microsoft PowerPoint® file 1572A_03.ppt

Preparation Tasks

To prepare for this module, you should:

! Read all the materials for this module

! Complete the labs

Presentation:

75 Minutes

Lab:

55 Minutes

Module Strategy

Use the following strategy to present this module:

! Introduction to the Administrative Utilities

In this topic, describe the four utilities that you can use to grant permissions, assign roles, and create system policies Inform the students that Exchange System Manager is the utility used for most administration tasks

! Introduction to Exchange System Manager

In this topic, explain the properties of the Organization object in Exchange System Manager Also, list and explain the top-level containers located under the Organization object in Exchange System Manager

! Managing Administrative Security

In this topic, explain how to grant permissions to administrators to enable them to carry out their tasks Explain how to do this manually as well as by using the Exchange System Manager Also explain how to delegate permissions using the Exchange Administration Delegation Wizard

! Creating and Configuring Administrative Groups

In this topic, explain how to create a new administrative group Next, explain how to grant permissions to an administrative group manually or by using the Exchange Administration Delegation Wizard

! Using Exchange 2000 System Policies

In this topic, explain how to manage Exchange 2000 objects using system policies List the objects for which you can create system policies Explain how to create policies and apply them to an Exchange organization

! Administering Exchange 2000 Address Lists

In this topic, describe the various address lists available in Exchange 2000 Explain how to create custom address lists and offline address lists Explain how address lists can be configured to meet different requirements Finally, explain how to keep address lists up-to-date by using the Recipient Update Service

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the

end of the Classroom Setup Guide for course 1572A, Implementing and

Managing Microsoft Exchange 2000

Lab Setup

The following list describes the setup requirements for the labs in this module

Setup Requirement 1

The labs in this module require Exchange 2000 To prepare student computers

to meet this requirement, perform one of the following actions:

! Complete the labs for Module 2, “Installing Microsoft Exchange 2000,” in

course 1572A, Implementing and Managing Microsoft Exchange 2000

! Install Exchange 2000 at D:\Program Files\Exchsrvr on each server into an organization named Northwind Traders Components installed are Microsoft Exchange Messaging and Collaboration Services, Microsoft Exchange System Management Tools, and Microsoft Exchange Instant Messaging Service

Setup Requirement 2

The labs in this module require a custom MMC To prepare student computers

to meet this requirement, perform one of the following actions:

! Complete the labs for Module 2, “Installing Microsoft Exchange 2000,” in

course 1572A, Implementing and Managing Microsoft Exchange 2000

! Have the students create a custom MMC in the C:\Documents and

Settings\All Users\Desktop that is saved as your_firstname Console The

MMC contains the Active Directory Users and Computers snap-in and the Exchange System snap-in

Important

Lab Results

Performing the labs in this module introduces the following configuration changes:

! An organizational unit is created in Active Directory that is named

your_servernameOU for each server in the classroom

! A user account is created in each server’s organizational unit for each student The account is a member of the Domain Admins group and has a mailbox on the student’s Exchange server

! An Outlook profile is created for each student on their own server that opens their mailbox

! The Domain Admins group is delegated Full Administrator role on the Northwind Traders organization

! An address list is created that shows users with the city attribute set to the student’s server name

Overview

! Overview of the Administrative Utilities

! Introduction to Exchange System Manager

! Managing Administrative Security

! Creating and Configuring Administrative Groups

! Using Exchange 2000 System Policies

! Administering Exchange 2000 Address Lists

Administering a large Microsoft® Exchange 2000 organization is more than a one-person task In this module, you will learn how to grant permissions, assign roles, and apply system policies so that specific administrative tasks can be safely delegated to other administrators

After completing this module, you will be able to:

! Describe the utilities that you can use to modify the Active Directory™ directory service

! Describe the main components of Exchange System Manager that are used

! Create and apply system policies and secure system policy creation

! Create, configure, and update address lists in Exchange 2000

In this module, you will learn

how to administer Exchange

2000

Overview of the Administrative Utilities

Administrative Utilities

Active Directory Schema

Active Directory Schema

Exchange System Manager

Exchange System Manager

Ldp.exe Adsiedit.exe

Exchange 2000 security builds on Windows 2000 security Therefore, administering Exchange 2000 involves making changes to the Active Directory™ directory service For example, you can grant permissions, assign roles, and create system policies There are several utilities available that you can use to make changes to Active Directory

Exchange System Manager

Exchange System Manager is a Microsoft Management Console (MMC)

snap-in that you can use to:

! Provide a framework for containing all other Exchange snap-ins so that you can manage an entire Exchange enterprise from a single console

! Provide a consistent administrative experience for administrators who deal with all facets of Exchange, including public folders, servers, routing, and policies

ADSI Edit

ADSI Edit (Adsiedit.exe) is a low-level Active Directory editor that uses Active Directory Services Interface (ADSI) to view and modify objects in the Active Directory, including the attributes and properties of a specific user or group You need to use ADSI Edit to perform administrative tasks that cannot be performed using Exchange System Manager or Active Directory Users and Computers

For example, ADSI Edit enables you to specify how the full name attribute is generated; this cannot be specified using Exchange System Manager or Active Directory Users and Computers ADSI Edit is included with the Microsoft Windows® 2000 support tools

Topic Objective

To list and describe the

utilities that you can use to

modify Active Directory

Lead-in

You can choose from four

utilities for administering

Exchange 2000

Active Directory Administration Tool

You can use the Active Directory Administration Tool (ldp.exe), a generic Lightweight Directory Access Protocol (LDAP) tool, to connect to an LDAP compatible directory The Active Directory Administration Toolis similar to ADSI Edit in that it allows you to view and modify objects in Active Directory The Active Directory Administration Tool is also useful for viewing replication information of objects, such as when the object was last replicated The Active Directory Administration Tool is included in the Windows 2000 Server support tools

Active Directory Schema

Active Directory Schema is an MMC snap-in that allows you to view attribute and class configuration This is different from ADSI Edit and Active Directory Administration Tool in that you cannot view instances of an object, such as a specific user

Before loading Active Directory Schema, you must register its

dynamic-link library (DLL) by typing Regsvr32 schmmgmt.dll at the command prompt,

and then pressing ENTER

Note

# Introduction to Exchange System Manager

! Exchange System Manager

! Organization Object Properties

! Top-Level Containers

As an administrator, you need to configure, maintain, and secure your Exchange organization Exchange System Manager provides all of the configuration options you need in one convenient MMC snap-in Because you will primarily use Exchange System Manager to administer the Exchange 2000 organization, this utility is the focus in this module

Exchange System Manager

Exchange System Manager

Exchange System Manager Directory Directory Active Active

Administrator Domain Controller

You start Exchange System Manager by clicking Start, pointing to Programs, Microsoft Exchange, and then clicking System Manager

Exchange System Manager will, by default, connect to a domain controller that exists on the same subnet as the computer running Exchange System Manager The domain to which Exchange System Manager will connect is determined by the Domain Name System (DNS) entries

If no domain controller exists on the same subnet, a domain controller will be chosen from within the same Windows 2000 site After Exchange System Manager connects to a domain controller, Active Directory is queried to populate the console with data applicable to Exchange 2000

You may want to override connecting to the default domain controller in the following scenarios:

! You need to bypass Active Directory replication latency

! You want to use the same administrator computer to connect to multiple domain controllers in different Windows 2000 forests to manage different companies or divisions

If you want to direct the Exchange System Manager console to a specific domain controller, you must add the Exchange System Manager snap-in to an MMC console Prior to adding the snap-in to the console, you will be prompted

Topic Objective

To explain how to start

Exchange System Manager

Lead-in

Exchange System Manager

displays data from Active

Directory in the Windows

2000 domain

Note

Organization Object Properties

Organization Object Properties

Displays general properties including routing groups and administrative groups

Displays details such as the date of creation and last modification Lists the users and groups that can access the Organization object along with the permissions

General

Details Security

The Organization object is the top-level container for all other Exchange 2000 system objects You can access the properties of an Organization object by using Exchange System Manager

The following table describes the options in the Property dialog box of the

Organization object:

General Display routing

groups

Displays the organization’s routing group information

Display administrative groups

Displays the organization’s administrative

groups An administrative group is a

collection of Exchange objects that are grouped together to simplify management

of permissions This option is disabled by default

Operation mode Displays information about whether the

organization is running in mixed mode or native mode By default, the servers run in mixed mode

Change operation mode

Converts the organization to native mode You should select this option only when you are certain that you will no longer be coexisting with Microsoft Exchange Server 5.5 This action is not reversible

Details Creation Date Displays when the Organization object was

created in Active Directory

The Organization object is

the top-level container for an

Exchange 2000

organization

(continued)

Tab Option Function

Administrative note Provides additional information about

the Exchange organization that can be added by an administrator

Security Name Displays the users and groups that

currently have permissions on the

Organization object Click Add or

Remove to modify this listing

Permissions Displays the access permissions for the

object selected in the Name window

Select Allow or Deny to modify the

access rights of the selected object

Advanced Views or configures specific

permissions, auditing, and object owner properties

Allow inheritable permissions from parent to propagate

to this object

If cleared, this option prevents the Organization object from inheriting permissions from its parent

The Security tab is not available by default on the Organization and Administrative Groups objects You can enable the Security tab on these

objects by adding the following key to the registry value:

HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin\ShowSecurityPage=dword:00000001 (enable) or 0 (disable)

Note

Top-Level Containers

Tools Connectors System Policies Servers

For example, if you display administrative groups, then the containers Servers, Policies, and Connectors will appear under the specific Administrative Group object

Global Settings Organization-wide Internet message formats, message

delivery, and instant messaging properties Recipients Recipient policies, address lists, and address templates Administrative Groups

(not visible by default)

All administrative groups that you have defined for the organization Each administrative group container displays containers representing the associated servers, policies, connectors and folders

Servers All servers defined in your organization System Policies

(not visible by default)

All defined mailbox store, public store, and server policies

Connectors Simple Mail Transfer Protocol (SMTP), X.400, cc:Mail, MS

Mail, Lotus Notes, Groupwise and Dirsync connector objects

If you are viewing routing groups, you will also see connectors within the corresponding routing group

Tools Site Replication Services, track messages, and monitor

servers and connectors from this container

# Managing Administrative Security

! Types of Permissions

! Permission Inheritance

! Delegating Permissions to Administrators

! Scope of Permissions

! Delegating Permissions Manually

! Permissions Required for Administrative Tasks

You can grant administrative privileges in Exchange 2000 by giving Windows

2000 users and groups permissions to Exchange 2000 objects You can grant these permissions by using Exchange System Manager Granting these permissions makes administration more secure because you can specify who can gain access to which Exchange 2000 objects You can grant or deny permissions on individual objects and containers to specific users or groups You can also configure permissions so that they propagate down the Exchange object console tree

Topic Objective

To introduce this topic

Lead-in

You must grant permissions

to Administrators for the

Exchange objects that they

need to administer

Types of Permissions

Standard Permissions

Standard Permissions Permissions Extended

Extended Permissions

! Create public folder

! Open mail send queue

! Read metabase properties

! Administer information store

! View information store status

! Receive As

! Send As

Exchange 2000 uses the security model of Windows 2000 and Active Directory

to manage access to objects All Exchange 2000 objects are secured with a discretionary access control list (DACL) and individual Access Control Entries (ACEs) that give users and groups specific permissions to control

administrative access to an object

You can configure permissions for an object using the Security tab of the

object in Exchange System Manager You can either grant or deny permissions

A permission that is denied overrides all other instances of this permission being allowed to the user or group

There are two types of permissions: standard and extended Standard permissions are part of the default permissions for Active Directory Extended permissions are added when Exchange 2000 is installed

Standard Permissions

Standard permissions are Active Directory permissions that you can apply to Exchange 2000 objects The following table lists the standard permissions for Active Directory

Permission Description

Full control Full permissions on the object

Read permissions View the security settings for the object

(continued)

Permission Description

Change permissions Modify the permissions on the object Take ownership Take ownership of the object Create children Create child objects Delete children Delete child objects List contents View the contents of a container object Read properties View the properties of the object Write properties Modify the properties of the object List object View the object in a container object

The Execute, Add/remove self, and Delete tree permissions available in Active Directory are not applicable to Exchange 2000 objects

Extended Permissions

Extended permissions are Exchange 2000 permissions that you can use to achieve more specific administrative control For example, the Server object has the Administer Information Store extended permission that enables you to specify which users or groups can make changes to the Information Store objects

You should use the two extended permissions, Send As and Receive As, with caution Send As gives a user or group permission to impersonate another user Receive As gives a user or group the capability to open another user’s mailbox When using the Exchange Administration Delegation Wizard to assign

permissions in Exchange System Manager, the Send As and Receive As permissions are denied However, if you grant a user or group both the Send As and Receive As permissions manually using Exchange System Manager, it results in the Full Mailbox Access permission This will enable the user or group to open all user mailboxes

Exchange 2000 does not recognize the Receive As permission

granted on the user object Security page in Active Directory Users and

Computers Exchange 2000 only recognizes the Receive As extended permission granted on Exchange 2000 objects

Note

The extended permissions

listed in the graphic are a

subset of the extended

permissions available

Important

! It eliminates the need to manually apply permissions to child objects when child objects are created Permissions can be applied to all child objects by simply applying the permissions to the parent object.

! It ensures that the permissions attached to a parent object are applied consistently to all child objects

You can view permissions by opening the Property dialog box of a child object, clicking the Security tab, and then clicking Advanced The Access Control Settings dialog box opens All inherited permissions appear shaded in

this dialog box

You can override inheritance by:

! Modifying permissions inherited by a child object

In some cases you may not want to have permissions inherited from a parent object For example, when you create a new routing group, it will inherit the permissions from the administrative group in which it was created If you want different permissions on the new routing group, you can change the inheritance of the routing group so that permissions from the parent administrative group are not propagated to the new routing group

Inherited permissions can be modified by clearing the Allow inheritable permissions from parent to propagate to this object check box on the Security tab of the child object Clearing this check box removes the

permissions inherited from the parent object

Topic Objective

To identify how permissions

are inherited in Exchange

If you remove inherited permissions and specify that permissions should be applied to the parent object only, the child objects will be left with

no permissions (an implicit Deny permission) This will prevent access to Exchange 2000 objects in the Exchange System Manager In this case, you can restore the permissions using the Adisedit.exe utility

! Preventing permissions from propagating to child objects You can prevent permissions from propagating to child objects by using the

Security tab of the parent object From the Security tab, you need to access the Advanced dialog box, where you can modify the access control settings

For each access control setting, you can specify whether the permissions should apply only to the parent object, or whether the permissions should apply to the parent object as well its and child objects

Delegating Permissions to Administrators

Exchange Administration Delegation Wizard Users or Groups

Select one or more users or groups to whom you wan to delegate control.

NWTRADERS1\DHCP…Exchange Admi… NWTRADERS1\Cert P… Exchange View Only A…

The Exchange Administration Delegation Wizard enables you to select a user or

a group, and give them a specific administrative role The delegation wizard supports the following three roles:

! Exchange Full Administrator Users can fully administer Exchange system

information (for example, add, delete, and rename objects) and modify permissions You should delegate this role to administrators who need to configure and control access to your mail system

! Exchange Administrator Users can fully administer Exchange system

information However, they cannot modify permissions You should delegate this role to users or groups responsible for the day-to-day administration of Exchange (for example, add, delete, and rename objects)

! Exchange View Only Administrator Users can view Exchange configuration

information You should delegate this role to administrators of other administrative groups who need to view organization information of other administrative groups that they are not administering

Topic Objective

To list and describe the

three roles that can be

applied to a user or a group

Scope of Permissions

Types of Roles:

Full Administrator Exchange Administrator View Only Administrator

You can start the Exchange Administration Delegation Wizard from the Organization object or from specific administrative group containers Where you start the wizard will determine the scope of objects on which the user or group will have permissions If you start the wizard from the Organization object, the permissions assigned will be propagated down the hierarchy to all objects in the organization If you start the wizard from an Administrative Group object, permissions will propagate to all objects in that administrative group; however, read-only permissions will also be granted from the Administrative Group object up the hierarchy so that the administrator will be able to view the hierarchy

In order to use the Exchange Administration Delegation Wizard, you must have Full Administrator permissions at the organization level

When you use the Exchange Administration Delegation Wizard, permissions are actually applied at the Microsoft Exchange container level in Active Directory and inherited through to the organization This container is above the organization container for the Exchange 2000 organization You can configure the permissions on the Microsoft Exchange container within the Active Directory schema using ADSI Edit

CN=Configuration…, CN=Services, CN=Microsoft Exchange

Topic Objective

To identify the permissions

granted on objects when an

administrative role is applied

to an administrator

Lead-in

The scope of permissions

depends on where you start

Full Administrator Role

The following table lists the permissions granted for objects when you apply the Full Administrator role for the organization container to an administrator by using the Exchange Administration Delegation Wizard

Container Permissions Do permissions apply to subcontainers?

Organization Send As and Receive As denied Yes Administrative Groups All permissions inherited Send

As and Receive As inherited as denied

Yes

Exchange Administrator Role

The following table lists the permissions granted for objects when you apply the Exchange Administrator role for the organization container to an administrator

by using the Exchange Administration Delegation Wizard

Container Permissions Do permissions apply to subcontainers?

Microsoft Exchange All permissions except Full

Control

Yes Organization Send As and Receive As denied Yes Administrative Groups All permissions inherited except

Full Control Send As and Receive As inherited as denied

Yes

View Only Administrator Role

The following table lists the permissions granted for objects when you apply the

View Only Administrator role for the organization container to an administrator

by using the Exchange Administration Delegation Wizard

Object Permissions Do permissions apply to subcontainers?

Microsoft Exchange container

Read permission allowed Yes

Organization Read permission inherited, View

information store status permission allowed

Yes

Administrative Groups Read and View information store

status permissions inherited

Yes

Delegating Permissions Manually

First Administrative Group Properties General Details

DHCP Users (TWTRADERS1\DHCP Users) Domain Admins (NWTRADERS1\Domain Ad…

Users or Groups

List object Add PF to admin group Create public folder Create top level public folder

For example, if you want to create an administrative role that grants full access

to all Exchange 2000 objects except storage groups, you first use the Exchange Administration Delegation Wizard to apply the Full Administrator role to the group You then manually deny the Full Control permission on the storage group object As a result, these administrators would have full access to all objects except storage groups and their child objects In fact, these

administrators would not even see the storage group object in Exchange System Manager because they do not have the Read permission

You should consider the following when manually granting permissions to administer Exchange 2000:

! When delegating permissions to a user or group, you must grant parent objects at least Read permissions for the child objects you are granting explicit permission If you fail to do so, the user or group will not be able to navigate through the hierarchy to reach the object for which they have permissions

! When you grant permissions manually, the Send As and Receive As permissions are granted by default As a result, the user to whom you are delegating permissions manually will have Full Mailbox Access permission

on all mailboxes by default Such a user will be able to open any mailbox

There are situations when

you may have to delegate

permissions manually

When you use Exchange Delegation Administration Wizard, the Send

As and Receive As permissions are not granted by default Therefore, it is

recommended that users be delegated permissions to administer Exchange

2000 using the Exchange Delegation Administration Wizard

! Document all permissions that you grant manually so that the permissions can easily be restored or removed when troubleshooting security problems

Note

Permissions Required for Administrative Tasks

To Perform a Task, an Administrator May Require:

Specific Permissions in Exchange 2000 Specific Windows 2000 Group Membership

In addition to the roles assigned using the Exchange Delegation Administration Wizard or the permissions granted manually, other Windows 2000 group memberships are required to manage Exchange 2000

If you assign an administrator the Write permission for objects in an organization or administrative group, that administrator must be a local computer administrator for each computer running Exchange 2000 that he or she needs to manage Being a local administrator enables the user to start and stop services, and to access the registry, the metabase, and the file system for different administrative operations

The following table lists the permissions, roles, and Windows 2000 group memberships required for performing some common administrative tasks

memberships

Create and delete mailboxes In Exchange 2000, you should be a

member of the administrative group where the target server running Exchange 2000 exists The View Only Administrator role should have been applied to this

Topic Objective

To identify the permissions

required for performing

some administrative tasks

Lead-in

Here are some examples of

administrative tasks and the

permissions required for

them

(continued)

Windows 2000 group memberships

Move mailboxes from Exchange

In Exchange 2000, you should be a member of the administrative group where the target server running Exchange

2000 exists The Exchange Administrator role should have been applied to this administrative group

You should be a member of Domain Admins or Account Operators group for the local domain

Create administrative groups In Exchange 2000, you will need to have

the Exchange Administrator role to the Exchange Organization

Configure routing groups and

connectors

In Exchange 2000, you should be a member of the administrative group where the target server running Exchange

2000 exists The Exchange Administrator role should have been applied to this administrative group

Define the global message

formats for specific outbound

domains or specify global

message thresholds

In Exchange 2000, you should have the Exchange Administrator role applied to the Exchange organization

If you will also manage the SMTP service, you will need to be a member of the built-in Administrators group on each server running Exchange 2000 to have access to the metabase, which contains IIS configuration information

View message queues in

Exchange System Manager

In Exchange 2000, you should be a member of the administrative group where the connector exists The View Only Administrator role should have been applied to this administrative group

You need to be a member of the local Administrators group on the target computer

Remove messages from queues In Exchange 2000, you should be a

member of the administrative group where the connector exists The Exchange Administrator role should have been applied to this administrative group

You need to be a member of the local Administrators group on the target computer

When Exchange 2000 is installed, two groups are automatically created: Exchange Domain Servers and Exchange Enterprise Servers These groups are specifically intended for use by Exchange 2000 only, and should not be used to give users or groups administrative privileges to Exchange 2000, because they have certain permissions that allow the servers to gain access to Exchange 2000 configuration and recipient information in Active Directory

Note

Lab A: Creating a Mail-enabled User Account

Objectives

After completing this lab, you will be able to:

! Create an organizational unit in Active Directory

! Create a user account and add it to the Domain Admins group

! Create a profile in Outlook 2000

To complete this lab, you need:

! To have Microsoft Exchange 2000 installed at D:\Program Files\Exchsrvr into an organization named Northwind Traders Components installed are Microsoft Exchange Messaging and Collaboration Services, Microsoft Exchange System Management Tools, and Microsoft Exchange Instant Messaging Service

Topic Objective

To introduce the lab

Lead-in

In this lab, you will create a

mail-enabled user account

Explain the lab objectives

! To identify the values for the variables listed in the following table

Variable Value

your_domain your_servername your_firstname your_username

Estimated time to complete this lab: 30 minutes

Exercise 1

Creating an Organizational Unit in Active Directory

In this exercise, you will create an organizational unit named your_servernameOU

Scenario

You want to minimize the number of objects that appear in the default users container by creating a new organizational unit

1 Create an organizational unit

Exercise 2

Creating a User Account

In this exercise, you will create a new user account in Windows 2000 and add that account to the

Domain Admins group

Scenario

You have hired a new administrator in your Exchange 2000 IT department This administrator

needs an account with domain access permissions as well as a mailbox

1 Create your user account in

your_servernameOU

Assign a password of

password Configure the

account so that the password

never expires Create an

Exchange mailbox for the

new account that resides on

your server

a In your_firstname Console, expand Active Directory Users and

Computers

b Expand your_domain.nwtraders.msft

c Right-click your_servernameOU, point to New, and then click User

d In the First name box, type your_firstname

e In the Last name box, type your_lastname

f In the User logon name box, type your_username On the following

line, write your_username:

g Click Next

h In the Password and Confirm password box, type password

i Select the Password never expires check box, and then click Next

j Verify that the Create an Exchange mailbox box is selected, in the

Server drop-down list select your_servername, and click Next

k Verify that you are creating your Exchange mailbox on

your_servername, and then click Finish

2 Add your_username account

to the Domain Admins

group

a In the console tree, select your_servernameOU

b In the details pane, right-click your_username, and then click

Properties

c On the Member Of tab, click Add

d Click the Name column header to sort the name field alphabetically by

ascending or descending order

e In the Name column, click Domain Admins, and then click Add

f Click OK to close the Select Groups dialog box, and then click OK to

close the your_username Properties dialog box

g Close your_username Console

h When prompted to save settings to your console, click Yes

3 Log off the domain a Click Start, and then click Shut Down

Tasks Detailed Steps

4 Log on to the domain as

your_username

a Press CTRL+ALT+DELETE

b In the User name box, type your_username

c In the Password box, type password and then click OK

Exercise 3

Creating a Profile in Outlook 2000

In this exercise, you will create a profile in Outlook 2000 and then send an e-mail message to

another student who appears in the global address list

Scenario

Now that you have a new account, you need to configure Outlook 2000 to enable you to use

Exchange 2000 to send messages

1 Configure the Outlook client

to use the Corporate or

Workgroup configuration

Enter a CD Key of

WHCDK-4KH43-RM9MP-9BVTX-FHY7D Configure

the profile to use your server

as the Microsoft Exchange

Server

a On your desktop, double-click Microsoft Outlook

b On the Outlook 2000 Startup page, click Next

c On the E-mail Service Options page, select Corporate or

Workgroup, and then click Next

d Select the Microsoft Exchange server check box, and then click Next

e In the Microsoft Exchange Server box, type your_servername

f In the Mailbox box, type your_username

2 Create and send a new

e-mail message to everyone in

your organization

a Click New

b Click To, select all users in the global address list, click To, and then click OK

c In the Subject box, type My First Message

d In the message body field, type a short message

e Click Send

f Verify that the e-mail message appears in your Inbox

3 Exit and log off a On the File menu, click Exit and Log Off

# Creating and Configuring Administrative Groups

! Administrative Group Design Considerations

! Creating Administrative Groups

! Securing Administrative Groups

You can simplify management of permissions by creating administrative groups After creating an administrative group and setting its permissions, you can add objects to the group These objects will inherit the permissions you have set for the group