Permissions on Objects in the Exchange Configuration Tree

Permissions on Objects in the Excha...

Collapse All

Topic Last Modified: 2006-03-29

Microsoft Exchange Container

cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>

Account	A	I	Right	On Property/Applies To	Comments
During ForestPrep phase
Authenticated Users	X		List Contents Read All Properties	Not applicable	Allows DomainPrep to read Full Org Admins
Designated admin account	X	X	Full Control	Not applicable	Allows Full Org Admin to administer organization
During server install
Exchange Domain Servers	X	X	Read Permissions Read All Properties List Contents	Not applicable	Allows Exchange servers to read configuration information
During ADC setup
Exchange Services	X	X	Full Control	Not applicable	Allows ADC servers to create/delete objects to keep Exchange configuration up-to-date.

ADC Connection Agreement Container

cn=Active Directory Connections,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>

Account	A	D	I	Right	On Property/Applies To	Comments
During server install
Exchange Domain Servers	X		X	Full Control	Not applicable	None

Organization Container

cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>

Account	A	D	I	Right	On Property/Applies To	Comments
During ForestPrep phase
Authenticated Users	X			Read All Properties ACTRL_DS_LIST_OBJECT	Not applicable	Allows DomainPrep to read Full Org Admins.
Designated admin account		X	X	Send As	Not applicable	Exchange admins are not allowed to open mailboxes.
Designated admin account		X	X	Receive As	Not applicable	Exchange admins are not allowed to open mailboxes.
During server install
Enterprise Admins		X	X	Send As	Not applicable	Windows NT admins are not allowed to open mailboxes.
Enterprise Admins		X	X	Receive As	Not applicable	Windows NT admins are not allowed to open mailboxes.
Domain Admins of root domain		X	X	Send As	Not applicable	Windows NT admins are not allowed to open mailboxes.
Domain Admins of root domain		X	X	Receive As	Not applicable	Windows NT admins are not allowed to open mailboxes.
Everyone	X		X	Create top-level public folder	Not applicable	This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model.
Everyone	X		X	Create public folder	Not applicable	None
Everyone	X		X	Create named properties in the information store	Not applicable	None
Everyone	X		X	Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT	Applies to object class: msExchPrivateMDB	None
Everyone	X		X	Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT	Applies to object class: msExchPublicMDB	None
Everyone*	X		X	Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT	Applies to object class: mTA	This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model.
Anonymous Logon	X		X	Create top-level public folder	Not applicable	This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model.
Anonymous Logon	X		X	Create public folder	Not applicable	In Microsoft Windows Server 2003™, "Everyone" no longer includes "Anonymous Logon," so these rights are granted explicitly.
Anonymous Logon	X		X	Create named properties in the information store	Not applicable	None
Anonymous Logon	X		X	Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT	Applies to object class: msExchPrivateMDB	None
Anonymous Logon	X		X	Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT	Applies to object class: msExchPublicMDB	None
Anonymous Logon	X		X	Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT	Applies to object class: mTA	This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model.
Exchange Domain Servers	X		X	All Extended Rights	Not applicable	None
Exchange Domain Servers	X		X	Create All Child Objects	Not applicable	None
Exchange Domain Servers	X		X	Write Property	Property Set: Public Information	Maintain mail-enabled configuration objects (for example, MAD).
Exchange Domain Servers	X		X	Write Property	Property Set: Personal Information	Maintain mail-enabled configuration objects (for example, MAD).
Exchange Domain Servers	X		X	Full Control	Applies to object class: siteAddressing	None
When enabling a Site Replication Service (ACE is removed when SRS is disabled.)
MACHINE$	X		X	Create All Child Objects Delete All Child Objects ACTRL_DS_LIST_OBJECT	Not applicable	SRS must be able to create/delete admin groups.

Address Lists Container

cn=Address Lists Container,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>

Account	A	D	I	Right	On Property/Applies To	Comments
During server install
Authenticated Users	X		X	List Contents	Not applicable	None

Addressing Container

cn=Addressing,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>

Account	A	D	I	Right	On Property/Applies To	Comments
During server install
Authenticated Users	X		X	List Contents Read All Properties Read Permissions	Not applicable	None

Recipient Update Services Container

cn=Recipient Update Services,cn=Address Lists Container,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration...

Account	A	D	I	Right	On Property/Applies To	Comments
During server install
Exchange Domain Servers	X		X	Full Control	Not applicable	None

Administrative Group

cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>

Account	A	D	I	Right	On Property/Applies To	Comments
During server install (set on attribute msExchPFDefaultAdminACL)
Authenticated Users	X		X	Create public folder	Not applicable	None

Default Top Level Hierarchy

cn=Public Folders,cn=All Folder Hierarchies,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange...

Account	A	D	I	Right	On Property/Applies To	Comments
During server install (set on attribute msExchPFDefaultAdminACL)
Authenticated Users	X		X	Create public folder	Not applicable	None

Connections Container

cn=Connections,cn=<routing group>,cn=Routing Groups,cn=<admin group>,cn=Administrative Groups,cn=<org>...

Account	A	D	I	Right	On Property/Applies To	Comments
During server install
Exchange Domain Servers	X		X	Full Control	Not applicable	None

Servers Container

cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services...

Account	A	D	I	Right	On Property/Applies To	Comments
During server install, or during Exchange ForestPrep
Exchange Domain Servers		X	X	Receive As	Not applicable	No server needs to read mail except on its own MDBs.
During server install (ACEs defined in schema defaultSecurityDescriptor)
Authenticated Users	X			List Contents	Not applicable	None

Server Object

cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services...

Account	A	D	I	Right	On Property/Applies To	Comments
During server install (if the server is not a cluster virtual machine)
MACHINE$	X		X	Full Control	Not applicable	Server must be able to maintain its configuration.
During server install (if the server is a cluster virtual machine)
NODE1$ NODE2$ etc...	X		X	Full Control	Not applicable	Every node in a cluster that owns a virtual machine (VM) must be able to maintain the VM configuration.
Exchange Domain Servers	X		X	Full Control	Not applicable	This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model. VM must be able to maintain its own configuration, but Setup can't tell which specific server to grant control to.
During server install (ACEs defined in schema defaultSecurityDescriptor)
Authenticated Users	X			Read Properties	Not applicable	None
When EDSLOCK script is run; ACE is removed by Exchange ForestPrep
Exchange Domain Servers		X	X	Receive As	Not applicable	This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model. No server needs to read mail except on its own MDBs.

Protocols Container

cn=Protocols,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange...

Account	A	I	Right	On Property/Applies To	Comments
During server install
Everyone	X	X	List Contents	Not applicable	None
Everyone	X	X	Read metabase properties	Not applicable	None

System Attendant Object

cn=Microsoft System Attendant,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>...

Account	A	I	Right	On Property/Applies To	Comments
During server install (set on attribute msExchMailboxSecurityDescriptor)
LocalSystem	X	X	Read Permissions fsdspermUserSendAs fsdspermUserMailboxOwner	Not applicable	None
Exchange Domain Servers	X	X	Read Permissions fsdspermUserSendAs fsdspermUserMailboxOwner	Not applicable	None
5.5 Service Account (if given)	X	X	Read Permissions fsdspermUserSendAs fsdspermUserMailboxOwner	Not applicable	None

MTA Object

cn=Microsoft MTA,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>...

Account	A	I	Right	On Property/Applies To	Comments
During server install or when enabling an SRS
5.5 Service Account (if given)	X	X	Send As	Not applicable	Required to send/receive mail from servers running Exchange Server 5.5.
5.5 Service Account (if given)	X	X	Receive As	Not applicable	Required to send/receive mail from servers running Exchange Server 5.5.