Export (0) Print
Expand All

Permissions on Objects in the Exchange Configuration Tree

 

Topic Last Modified: 2006-03-29

cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>

 

Account A D I Right On Property/Applies To Comments

During ForestPrep phase

Authenticated Users

X

List Contents Read All Properties

Not applicable

Allows DomainPrep to read Full Org Admins

Designated admin account

X

X

Full Control

Not applicable

Allows Full Org Admin to administer organization

During server install

Exchange Domain Servers

X

X

Read Permissions Read All Properties List Contents

Not applicable

Allows Exchange servers to read configuration information

During ADC setup

Exchange Services

X

X

Full Control

Not applicable

Allows ADC servers to create/delete objects to keep Exchange configuration up-to-date.

cn=Active Directory Connections,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>

 

Account A D I Right On Property/Applies To Comments

During server install

Exchange Domain Servers

X

X

Full Control

Not applicable

None

cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>

 

Account A D I Right On Property/Applies To Comments

During ForestPrep phase

Authenticated Users

X

Read All Properties ACTRL_DS_LIST_OBJECT

Not applicable

Allows DomainPrep to read Full Org Admins.

Designated admin account

X

X

Send As

Not applicable

Exchange admins are not allowed to open mailboxes.

Designated admin account

X

X

Receive As

Not applicable

Exchange admins are not allowed to open mailboxes.

During server install

Enterprise Admins

X

X

Send As

Not applicable

Windows NT admins are not allowed to open mailboxes.

Enterprise Admins

X

X

Receive As

Not applicable

Windows NT admins are not allowed to open mailboxes.

Domain Admins of root domain

X

X

Send As

Not applicable

Windows NT admins are not allowed to open mailboxes.

Domain Admins of root domain

X

X

Receive As

Not applicable

Windows NT admins are not allowed to open mailboxes.

Everyone

X

X

Create top-level public folder

Not applicable

This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model.

Everyone

X

X

Create public folder

Not applicable

None

Everyone

X

X

Create named properties in the information store

Not applicable

None

Everyone

X

X

Read Permissions

Read All Properties

List Contents ACTRL_DS_LIST_OBJECT

Applies to object class: msExchPrivateMDB

None

Everyone

X

X

Read Permissions

Read All Properties

List Contents ACTRL_DS_LIST_OBJECT

Applies to object class: msExchPublicMDB

None

Everyone*

X

X

Read Permissions

Read All Properties

List Contents ACTRL_DS_LIST_OBJECT

Applies to object class: mTA

This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model.

Anonymous Logon

X

X

Create top-level public folder

Not applicable

This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model.

Anonymous Logon

X

X

Create public folder

Not applicable

In Microsoft Windows Server 2003™, "Everyone" no longer includes "Anonymous Logon," so these rights are granted explicitly.

Anonymous Logon

X

X

Create named properties in the information store

Not applicable

None

Anonymous Logon

X

X

Read Permissions

Read All Properties

List Contents ACTRL_DS_LIST_OBJECT

Applies to object class: msExchPrivateMDB

None

Anonymous Logon

X

X

Read Permissions

Read All Properties

List Contents ACTRL_DS_LIST_OBJECT

Applies to object class: msExchPublicMDB

None

Anonymous Logon

X

X

Read Permissions

Read All Properties

List Contents ACTRL_DS_LIST_OBJECT

Applies to object class: mTA

This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model.

Exchange Domain Servers

X

X

All Extended Rights

Not applicable

None

Exchange Domain Servers

X

X

Create All Child Objects

Not applicable

None

Exchange Domain Servers

X

X

Write Property

Property Set: Public Information

Maintain mail-enabled configuration objects (for example, MAD).

Exchange Domain Servers

X

X

Write Property

Property Set: Personal Information

Maintain mail-enabled configuration objects (for example, MAD).

Exchange Domain Servers

X

X

Full Control

Applies to object class: siteAddressing

None

When enabling a Site Replication Service (ACE is removed when SRS is disabled.)

MACHINE$

X

X

Create All Child Objects Delete All Child Objects ACTRL_DS_LIST_OBJECT

Not applicable

SRS must be able to create/delete admin groups.

cn=Address Lists Container,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>

 

Account A D I Right On Property/Applies To Comments

During server install

Authenticated Users

X

X

List Contents

Not applicable

None

cn=Addressing,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>

 

Account A D I Right On Property/Applies To Comments

During server install

Authenticated Users

X

X

List Contents Read All Properties Read Permissions

Not applicable

None

cn=Recipient Update Services,cn=Address Lists Container,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration...

 

Account A D I Right On Property/Applies To Comments

During server install

Exchange Domain Servers

X

X

Full Control

Not applicable

None

cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>

 

Account A D I Right On Property/Applies To Comments

During server install (set on attribute msExchPFDefaultAdminACL)

Authenticated Users

X

X

Create public folder

Not applicable

None

cn=Public Folders,cn=All Folder Hierarchies,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange...

 

Account A D I Right On Property/Applies To Comments

During server install (set on attribute msExchPFDefaultAdminACL)

Authenticated Users

X

X

Create public folder

Not applicable

None

cn=Connections,cn=<routing group>,cn=Routing Groups,cn=<admin group>,cn=Administrative Groups,cn=<org>...

 

Account A D I Right On Property/Applies To Comments

During server install

Exchange Domain Servers

X

X

Full Control

Not applicable

None

cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services...

 

Account A D I Right On Property/Applies To Comments

During server install, or during Exchange ForestPrep

Exchange Domain Servers

X

X

Receive As

Not applicable

No server needs to read mail except on its own MDBs.

During server install (ACEs defined in schema defaultSecurityDescriptor)

Authenticated Users

X

List Contents

Not applicable

None

cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services...

 

Account A D I Right On Property/Applies To Comments

During server install (if the server is not a cluster virtual machine)

MACHINE$

X

X

Full Control

Not applicable

Server must be able to maintain its configuration.

During server install (if the server is a cluster virtual machine)

NODE1$ NODE2$ etc...

X

X

Full Control

Not applicable

Every node in a cluster that owns a virtual machine (VM) must be able to maintain the VM configuration.

Exchange Domain Servers

X

X

Full Control

Not applicable

This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model.

VM must be able to maintain its own configuration, but Setup can't tell which specific server to grant control to.

During server install (ACEs defined in schema defaultSecurityDescriptor)

Authenticated Users

X

Read Properties

Not applicable

None

When EDSLOCK script is run; ACE is removed by Exchange ForestPrep

Exchange Domain Servers

X

X

Receive As

Not applicable

This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model.

No server needs to read mail except on its own MDBs.

cn=Protocols,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange...

 

Account A D I Right On Property/Applies To Comments

During server install

Everyone

X

X

List Contents

Not applicable

None

Everyone

X

X

Read metabase properties

Not applicable

None

cn=Microsoft System Attendant,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>...

 

Account A D I Right On Property/Applies To Comments

During server install (set on attribute msExchMailboxSecurityDescriptor)

LocalSystem

X

X

Read Permissions fsdspermUserSendAs fsdspermUserMailboxOwner

Not applicable

None

Exchange Domain Servers

X

X

Read Permissions fsdspermUserSendAs fsdspermUserMailboxOwner

Not applicable

None

5.5 Service Account (if given)

X

X

Read Permissions fsdspermUserSendAs fsdspermUserMailboxOwner

Not applicable

None

cn=Microsoft MTA,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>...

 

Account A D I Right On Property/Applies To Comments

During server install or when enabling an SRS

5.5 Service Account (if given)

X

X

Send As

Not applicable

Required to send/receive mail from servers running Exchange Server 5.5.

5.5 Service Account (if given)

X

X

Receive As

Not applicable

Required to send/receive mail from servers running Exchange Server 5.5.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft