Export (0) Print
Expand All

Permissions Granted During Exchange Setup

 

Topic Last Modified: 2005-04-20

Each permissions table begins with the distinguished name of the object it applies to. Then, the table lists when the right is applied: for example, during the ForestPrep phase while installing a server.

In some cases, the access control list (ACL) is not applied on the usual property (ntSecurityDescriptor), but on some other property—for example, "msExchMailboxSecurityDescriptor". The directory service cannot enforce security that is not specified in the Microsoft® Windows® NT security descriptor; in most cases, these ACLs will be replicated to store ACLs on appropriate objects by the store service. There is, unfortunately, no tool for viewing these ACLs as anything other than raw binary data.

The columns of a permissions table are as follows:

  • Account   The security principal granted or denied the permissions.

  • A   Checked if this is an allow access control entry (ACE).

  • D   Checked if this is a deny ACE. Allow and Deny are mutually exclusive.

  • I   Checked if this ACE inherits to child objects.

  • Right   Checked if this ACE inherits to child objects.

  • On Property/Applies To   In some cases, the permission applies only to a given property, property set, or object class. If so, that is specified here.

  • Comments   The reason this permission is required, or other information about the permission.

The permissions that are removed by Microsoft Exchange Server 2003 Setup are indicated by a double strike-through font (for example, double strike-through). These are permissions that were set in Exchange 2000 Server, but they have since been deprecated from the security model.

The permissions are generally listed in the table by the names used on the ADSIEdit Security property page, in the Advanced view, on the View/Edit tab. The ADSIEdit Security property page lists a much more condensed view of the rights. The LDP tool (Ldp.exe) displays the access mask directly, as a numerical value. The setup code refers to the rights by predefined constants.

The following table summarizes the relationships between these values.

Relationships between values

ADSIEdit Summary page ADSIEdit Advanced page, View/Edit tab #define Binary value ("Mask" in LDP)

Full Control

Full Control

WRITE_OWNER | WRITE_DAC | READ_CONTROL | DELETE | ACTRL_DS_CONTROL_ACCESS | ACTRL_DS_LIST_OBJECT | ACTRL_DS_DELETE_TREE | ACTRL_DS_WRITE_PROP | ACTRL_DS_READ_PROP | ACTRL_DS_SELF | ACTRL_DS_LIST | ACTRL_DS_DELETE_CHILD | ACTRL_DS_CREATE_CHILD

0x000F01FF

Read

List Contents + Read All Properties + Read Permissions

ACTRL_DS_LIST | ACTRL_DS_READ_PROP | READ_CONTROL

0x00020014

Write

Write All Properties + All Validated Writes

ACTRL_DS_WRITE_PROP | ACTRL_DS_SELF

0x00000028

List Contents

ACTRL_DS_LIST

0x00000004

Read All Properties

ACTRL_DS_READ_PROP

0x00000010

Write All Properties

ACTRL_DS_WRITE_PROP

0x00000020

Delete

DELETE

0x00010000

Delete Subtree

ACTRL_DS_DELETE_TREE

0x00000040

Read Permissions

READ_CONTROL

0x00020000

Modify Permissions

WRITE_DAC

0x00040000

Modify Owner

WRITE_OWNER

0x00080000

All Validated Writes

ACTRL_DS_SELF

0x00000008

All Extended Rights

ACTRL_DS_CONTROL_ACCESS

0x00000100

Create All Child Objects

Create All Child Objects

ACTRL_DS_CREATE_CHILD

0x00000001

Delete All Child Objects

Delete All Child Objects

ACTRL_DS_DELETE_CHILD

0x00000002

ACTRL_DS_LIST_OBJECT

0x00000080

Extended rights are custom rights specified by individual applications. They are specified in the ACL, but they are meaningless to the directory service; the particular application enforces any extended rights. Examples of Exchange extended rights are "Create public folder" or "Create named properties in the information store."

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft