Permissions on Objects in the Domain Naming Context
Domain Container
dc=<domain>
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During DomainPrep phase |
||||||
Exchange Enterprise Servers |
X |
X |
Write Property |
Property Set: Public Information |
Maintains mail-enabled user attributes. |
|
Exchange Enterprise Servers |
X |
X |
Write Property |
Property Set: Personal Information |
Maintains mail-enabled user attributes. |
|
Exchange Enterprise Servers |
X |
X |
Write Property |
On property:groupType |
None |
|
Exchange Enterprise Servers |
X |
X |
Write Property |
On property:displayName |
None |
|
Exchange Enterprise Servers |
X |
Manage Replication Topology |
Not applicable |
Allows Recipient Update Service to track replication changes. |
||
Exchange Enterprise Servers |
X |
X |
List Contents |
Not applicable |
Duplicates permissions granted to "Pre-Windows 2000 Compatible Access" group. |
|
Exchange Enterprise Servers |
X |
Read Permissions |
Not applicable |
None |
||
Exchange Enterprise Servers |
X |
X |
Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT |
Applies to object class:user |
None |
|
Exchange Enterprise Servers |
X |
X |
Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT |
Applies to object class:group |
None |
|
Exchange Enterprise Servers |
X |
X |
Modify Permissions |
Applies to object class:group |
Maintains ACLs for groups with hidden distribution list membership. |
|
During DomainPrep phase (if running against Windows Server 2003 schema) |
||||||
Exchange Enterprise Servers |
X |
X |
Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT |
Applies to object class:InetOrgPerson |
Same permissions required on InetOrgPersons as on Users. |
Domain Proxy Container
cn=Microsoft Exchange System Objects,dc=<domain>
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During DomainPrep phase |
||||||
Exchange Enterprise Servers |
X |
X |
Full Control |
Not applicable |
Adds/deletes/modifies proxy objects. |
|
Exchange Domain Servers |
X |
X |
Full Control |
Not applicable |
Adds/deletes/modifies proxy objects. |
|
Authenticated Users |
X |
X |
Read Permissions |
Not applicable |
Allows access to public folder (PF) objects. |
|
Authenticated Users |
X |
X |
Read Property |
garbageCollPeriod |
Allows access to PF objects. |
|
Authenticated Users |
X |
X |
Read Property |
adminDisplayName |
Allows access to PF objects. |
|
Authenticated Users |
X |
X |
Read Property |
modifyTimeStamp |
Allows access to PF objects. |
|
During DomainPrep (ACEs defined in schema defaultSecurityDescriptor) |
||||||
Authenticated Users |
X |
Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT |
Not applicable |
None |
||
Set by the Recipient Update Service |
||||||
All delegated org-level and admin-group level Full Admins |
X |
X |
Full Control |
Not applicable |
None |
|
All delegated org-level and admin-group level Admins |
X |
X |
Read Permissions List Contents All Validated Writes Read All Properties Write All Properties Create All Child Objects Delete All Child Objects |
Not applicable |
None |
|
All delegated org-level and admin-group level View-Only Admins |
X |
X |
Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT |
Not applicable |
None |
AdminSDHolder Container
cn=AdminSDHolder,cn=System,dc=<domain>
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During DomainPrep phase |
||||||
Exchange Enterprise Servers |
X |
X |
Read Property Write Property |
Property Set: Public Information |
This ACL is applied to users with domain admin rights. |
|
Exchange Enterprise Servers |
X |
X |
Read Property Write Property |
Property Set: Personal Information |
None |
|
Exchange Enterprise Servers |
X |
X |
Read Property Write Property |
On property:displayName |
None |
|
Exchange Enterprise Servers |
X |
X |
List Contents |
Not applicable |
None |
Pre-Windows 2000 Server Compatible Access Group
cn=Pre-Windows 2000 Compatible Access,cn=Builtin,dc=<domain>
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During DomainPrep phase |
||||||
Exchange Enterprise Servers |
X |
X |
Write Property |
On property: member |
The Recipient Update Service must add all EDS groups to every domains' pre-Windows 2000 Server group. |
Exchange Enterprise Servers Group
cn=Exchange Enterprise Servers,cn=Users,dc=<domain>
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During DomainPrep phase |
||||||
All existing org-level Full Admins |
X |
Full Control |
Not applicable |
Admins running setup must be able to add/remove machine accounts from group. |
||
Exchange Enterprise Servers |
X |
Full Control |
Not applicable |
None |
||
Set by the Recipient Update Service |
||||||
All delegated org-level Full Admins |
X |
X |
Full Control |
Not applicable |
None |
Exchange Domain Servers Group
cn=Exchange Domain Servers,cn=Users,dc=<domain>
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During DomainPrep phase |
||||||
All existing org-level Full Admins |
X |
Full Control |
Not applicable |
Admins running setup must be able to add/remove machine accounts from group. |
||
Exchange Enterprise Servers |
X |
Full Control |
Not applicable |
None |
||
Set by the Recipient Update Service |
||||||
All delegated org-level Full Admins |
X |
X |
Full Control |
Not applicable |
None |