What is Enterprise admin, domain admin, schema admin? What is the difference between this 3. Suppose i add New ISA server to domain controler as member server and i want to create one user id for ISA Server administrator (He should administrate ISA server not domain) so shall i add my user to any of this 3 admins. Bcoz one of my friend told me in exchange server if ur giving administrative rights administrate exchangeto exchange admin u should add that user as member of enterprise admin, domain admin, schema admin. So this rule is only for exchange server or its applicable for all member servers. Explain me detilly about this. Thankx in advance.

Hi, Enterprise Admin and Domain Admin have different permission scope. The Enterprise Admin has full permission of the entire Forest. The Domain Admin only has permission of domain. Schema Admin is a special Admin Group. Only the members of Schema Admin group have permission to modify the Forest Schema partition. Note: For further information, you can use Adsiedit tool to check the detailed permission different of the three Security Groups. Regarding the Adsiedit tool: http://technet2.microsoft.com/WindowsServer/en/Library/ebca3324-5427-471a-bc19-9aa1decd3d401033.mspx Regarding Exchange 2003 Permission , it have three Roles: Exchange View Only Administrator (Read only access to the object and their properties) Exchange Administrator (Read/Write access to the objects and their properties) Exchange Full Administrator (Same as Administrator Role plus ability to delegate permissions to other Users and Groups) Actually, you can also view the Exchange permission setting from AD by using Adsiedit: 1. Run Adsiedit and navigate to following object container Configuration->Services->Microsoft Exchange Note: The object container the configuration setting of Exchange. 2. View the Security Tab of Microsoft Exchange Object Container. For example, if you have delegated the Exchange View Only Administrator permission to a user for the entire organization. The User only has Read permission of the Object Container. Note: If you view the permission of Schema Partition by using Adsiedit, you should notice that only Schema Admins group has change permission. For further information regarding Exchange and AD Permission, please refer to the following article: http://technet.microsoft.com/en-us/library/bb124053(EXCHG.65).aspx Regarding ISA permission, you can refer to the following article: ISA 2006: http://technet.microsoft.com/en-us/library/bb794769(TechNet.10).aspx ISA 2004: http://www.microsoft.com/technet/isa/2004/help/FW_C_AdminRole.mspx?mfr=true Mike