Product Reviews

Taming Exchange Security

Configuring permissions with ESRA 2.0.

While I am by no means an expert on Microsoft Exchange Server, I do administer a few Exchange servers for local organizations. One of the things I’ve noticed is that managing mailbox and public folder permissions can be a royal pain. C2C’s Exchange Security Risk Auditor 2.0 attempts to simplify Exchange security for you.

ESRA 2.0 provides the ability to set up complex permissions. For example, if you want to grant an Administrative Assistant Reviewer permission to all of the calendars for the people in the Marketing department, ESRA can do it.

C2C’s Web site lists “simple and intuitive interface” among the product’s features. It’s easy to understand, if that’s what they mean, but I don’t think this is going to win any design awards anytime soon. ESRA appears as an MMC snap-in, so any Exchange administrator should be familiar with that part. The second level of the snap-in includes two nodes: “Public folder search” and “Mailbox search.” Beyond that, each node includes five child nodes: “Where to search,” “What to search for,” “Folder searching filter,” “What changes to make,” and “[Public folder/Mailbox] search results." The “What to search for” node contains three more child nodes for the Mailbox search. Each node must be configured separately. That’s a lot of clicking for our carpal-tunnel-plagued world and keyboard shortcuts are few or non-existent in this product.

Exchange administrators are used to a multiple-tabbed properties dialog box for configuring users, and just about everything else in Exchange. This interface could be vastly improved by sticking with that standard. I want to just click on the search type node (public folder or mailbox) to display the results. I’m okay with having to right-click to run the query and configure it, but this really only needs one configuration dialog.

I'd also like to see the ability to save my settings (such as the Administrative Assistant example), and run these pre-defined searches later on. Better yet, I’d like to schedule queries and tasks to run without me having to even think about it.

Reporting could also be better. Right now, you’re limited to exporting the query results via the MMC 1.2 (or newer) “Export list” functionality.

ESRA does include a couple of other features worth mentioning. First, the mailbox search will display Send On Behalf Of (SOBO) permissions, though I don’t see that the tool will allow you to set or change them.

The one extremely useful feature is the ability to identify and remove Zombies (i.e., those permissions that no longer resolve to a valid account because someone deleted the user and forgot to tell you about it). Just identifying those in a large enterprise can be a full time job.

ESRA 2.0
The ESRA 2.0 Microsoft Management Console interface

So, while I don’t like the interface, ESRA has the potential to save you a lot of headache in administering permissions in your Exchange organization. Overall, however, I think if you have a skilled VBScript developer in-house, you may be able to build ASP pages that provide you with repeatable tasks, more palatable reporting, and a more robust interface, at a comparable cost.

About the Author

Joe Crawford, MCSE, works as a support engineer for HP, supporting Microsoft networking technologies. He specializes in Microsoft Systems Management Server and scripting.


  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.