Export (0) Print
Expand All

Permissions Available in Exchange

 

Topic Last Modified: 2005-05-18

The following sections list the different permissions that are available in Microsoft® Exchange. For more detailed information about most of these permissions (such as their hexadecimal, access-mask values), see the Exchange Server 2003 TechCenter, or the Microsoft Windows® 2000 or Active Directory® directory service documentation in the Microsoft Platform SDK.

Exchange uses special permissions internally to govern access to mailboxes, in conjunction with the preliminary checks that it performs. Exchange does not use these permissions for security descriptors. The following table lists these mailbox-specific permissions.

Mailbox-specific permissions

Exchange permissions Member permissions or Windows equivalents

fsdpermUserDeleteMailbox

DELETE

fsdpermUserMailboxOwner

 

fsdpermUserSendAs

 

fsdpermUserPrimaryUser

(Used in conjunction with the Master Account SID in Active Directory)

sdpermUserGenericRead

STANDARD_RIGHTS_READ

sdpermUserGenericExecute

STANDARD_RIGHTS_EXECUTE

sdpermUserGenericWrite

STANDARD_RIGHTS_WRITE

fsdpermUserDeleteMailbox

sdpermUserGenericAll

STANDARD_RIGHTS_ALL

FsdpermUserMailboxOwner

FsdpermUserSendAs

fsdpermUserPrimaryUser

The following tables list the permissions that are used in the Microsoft Windows NT® security descriptor. For more information about these permissions, see the "Security" topic in the "Key Tasks" section of the Microsoft Exchange Software Development Kit (SDK).

The permissions used in the Windows NT security descriptor of a folder are the same whether the folder resides in a mailbox or in a public folder hierarchy. The following tables list these permissions (the permissions listed in the "Standard Windows permissions used in folder security descriptors" table are available on objects throughout Windows 2000).

In the following table, an asterisk (*) denotes an Exchange-specific permission.

Folder permissions

Display name Permission Description

List contents

fsdrightListContents

Same as FILE_LIST_DIRECTORY. Trustee can list file contents.

Create item

fsdrightCreateItem

Same as FILE_ADD_FILE. Trustee can add a file to a folder.

Create container

fsdrightCreateContainer

Same as FILE_ADD_SUBDIRECTORY. Trustee can add a subfolder.

Read property

fsdrightReadProperty

Same as FILE_READ_EA.

Write property

fsdrightWriteProperty

Same as FILE_WRITE_EA.

Read attributes

fsdrightReadAttributes

Same as FILE_READ_ATTRIBUTES. Reserved for future use.

Write attributes

fsdrightWriteAttributes

Same as FILE_WRITE_ATTRIBUTES. Reserved for future use.

Write own property

fsdrightWriteOwnProperty*

The trustee can modify his or her own items.

Delete own item

fsdrightDeleteOwnItem

The trustee can delete his or her own items.

View item

fsdrightViewItem*

The trustee can view items.

Owner

fsdrightOwner*

The trustee is the owner of the folder. This right corresponds to the frightsOwner right in previous versions of Exchange and is provided for backward compatibility.

Contact

fsdrightContact*

Not used for security. Identifies the user as the contact for the folder. This right corresponds to the frightsContact right in previous versions of Exchange and is provided for backward compatibility.

-

fsdrightReserved1

Same as FILE_DELETE_CHILD. Currently unused.

noteNote:
The permissions fsdrightReadProperty and fsdrightReadAttributes are related and are always granted or denied together. Similarly, fsdrightWriteProperty and fsdrightWriteAttributes are always granted or denied together.

Standard Windows permissions used in folder security descriptors

Display name Permission Member permission or Windows equivalent

Delete

fsdrightDelete

DELETE

Read permissions

fsdrightReadControl

READ_CONTROL

Change permissions

fsdrightWriteSD

WRITE_DAC

Take ownership

fsdrightWriteOwner

WRITE_OWNER

Synchronize

fsdrightSynchronize

SYNCHRONIZE

-

sdrightsFolderOwner

fsdrightWriteProperty

fsdrightOwner

fsdrightWriteSD

fsdrightDelete

fsdrightWriteOwner

fsdrightWriteAttributes

The tables in this section list the message permissions.

Message permissions

Display name Permission Member permission or Windows equivalent

Read body

fsdrightReadBody

Only on messages, same as FILE_READ_DATA.

Write body

fsdrightWriteBody

Only on messages, same as FILE_WRITE_DATA.

Append message

fsdrightAppendMsg

Only on messages, same as FILE_WRITE_DATA. Enforced by IFS.

Read property

fsdrightReadProperty

Same as FILE_READ_EA.

Write property

fsdrightWriteProperty

Same as FILE_WRITE_EA.

Execute

fsdrightExecute

Same as FILE_EXECUTE/FILE_TRAVERSE. Enforced by IFS.

Read attributes

fsdrightReadAttributes

Same as FILE_READ_ATTRIBUTES. Currently unused.

Write attributes

fsdrightWriteAttributes

Same as FILE_WRITE_ATTRIBUTES. Currently unused.

Write own property

fsdrightWriteOwnProperty

Only on messages.

Delete own item

fsdrightDeleteOwnItem

Only on messages.

View item

fsdrightViewItem

 

noteNote:
The permissions fsdrightReadProperty, fsdrightReadAttributes, and fsdrightReadBody are related and are always granted or denied together. Similarly, fsdrightWriteProperty, fsdrightWriteAttributes, and fsdrightWriteBody are always granted or denied together.
noteNote:
The permissions listed in the following two tables do not appear in the user interface. However, they can be used in custom applications.

Standard Windows permissions used in message security descriptors

Display name Permission Member permission or Windows equivalent

Delete

fsdrightDelete

DELETE

Read permissions

fsdrightReadControl

READ_CONTROL

Change permissions

fsdrightWriteSD

WRITE_DAC

Take ownership

fsdrightWriteOwner

WRITE_OWNER

Synchronize

fsdrightSynchronize

SYNCHRONIZE

noteNote:
In the following table, access rights that belong to the sdrightsIgnored permission are ignored in the determination of an Exchange Canonical ACL. Because the Exchange store ignores these rights, their presence or absence doesn't make an ACL canonical.

Groups of message permissions

Permission Member permission or Windows equivalent

sdrightsNone

 

sdrightsBestAccess

MAXIMUM_ALLOWED

sdrightsReadOnly

GENERIC_READ

sdrightsReadWrite

GENERIC_READ

GENERIC_WRITE

sdrightsGenericRead

fsdrightReadControl

fsdrightReadBody

fsdrightReadAttributes

fsdrightReadProperty

fsdrightViewItem

fsdrightSynchronize

sdrightsGenericWrite

fsdrightReadControl

fsdrightWriteBody

fsdrightWriteAttributes

fsdrightWriteProperty

fsdrightAppendMsg

fsdrightCreateItem

fsdrightDelete

fsdrightCreateContainer

fsdrightOwner

fsdrightSynchronize

fsdrightWriteSD

fsdrightWriteOwner

sdrightsGenericExecute

fsdrightReadControl

fsdrightReadAttributes

fsdrightExecute

fsdrightViewItem

fsdrightSynchronize

sdrightsGenericAll

fsdrightDelete

fsdrightReadProperty

fsdrightWriteProperty

fsdrightCreateItem

fsdrightCreateContainer

fsdrightReadControl

fsdrightWriteSD

fsdrightWriteOwner

fsdrightReadControl

fsdrightViewItem

fsdrightOwner

fsdrightWriteOwnProperty

fsdrightDeleteOwnItem

fsdrightSynchronize

fsdrightExecute

fsdrightReserved1

fsdrightReadAttributes

fsdrightWriteAttributes

fsdrightReadBody

fsdrightWriteBody

fsdrightSynchronize

fsdrightContact

sdrightsIgnored

fsdrightExecute

fsdrightAppendMsg

fsdrightContact

fsdrightReserved1

Backward-compatible message permissions

Permission Member permissions

msgrightsGenericRead

sdrightsGenericRead

sdrightsItems

msgrightsGenericWrite

sdrightsGenericWrite

sdrightsItems

msgrightsGenericExecute

sdrightsGenericExecute

sdrightsItems

msgrightsGenericAll

sdrightsGenericAll

sdrightsItems

fldrightsGenericRead

sdrightsGenericRead

sdrightsFolders

fldrightsGenericWrite

sdrightsGenericWrite

sdrightsFolders

fldrightsGenericExecute

sdrightsGenericExecute

sdrightsFolders

fldrightsGenericAll

sdrightsGenericAll

sdrightsFolders

Exchange provides an additional control value, EXCHANGE_RM_SET_EXPLICIT_SD, which can be set in the control field of a security descriptor. An administrator can then set the security descriptor of the object explicitly. For more information about setting EXCHANGE_RM_SET_EXPLICIT_SD, see the Windows XP API documentation.

In addition to standard Windows 2000 permissions, Exchange defines a set of extended permissions that pertain specifically to Exchange functions. The following table lists these permissions.

noteNote:
The permissions Create public folder, Create top-level public folder, and Create named properties in the information store can apply to both administrative and non-administrative users.

Extended permissions defined and used by Exchange

Display name Common name (cn)

Add PF to admin group

ms-Exch-Add-PF-To-Admin-Group

Exchange administrator

ms-Exch-Admin-Role-Administrator

Exchange full administrator

ms-Exch-Admin-Role-Full-Administrator

Exchange public folder read-only administrator

ms-Exch-Admin-Role-Read-Only-Administrator

Exchange public folder service

ms-Exch-Admin-Role-Service

Create public folder

ms-Exch-Create-Public-Folder

Create top level public folder

ms-Exch-Create-Top-Level-Public-Folder

Mail-enable public folder

ms-Exch-Mail-Enabled-Public-Folder

Modify public folder ACL

ms-Exch-Modify-PF-ACL

Modify public folder admin ACL

ms-Exch-Modify-PF-Admin-ACL

Modify public folder deleted item retention

ms-Exch-Modify-Public-Folder-Deleted-Item-Retention

Modify public folder expiry

ms-Exch-Modify-Public-Folder-Expiry

Modify public folder quotas

ms-Exch-Modify-Public-Folder-Quotas

Modify public folder replica list

ms-Exch-Modify-Public-Folder-Replica-List

Open mail send queue

ms-Exch-Open-Send-Queue

Read metabase properties

ms-Exch-Read-Metabase-Properties

Remove PF from admin group

ms-Exch-Remove-PF-From-Admin-Group

Administer information store

ms-Exch-Store-Admin

Create named properties in the information store

ms-Exch-Store-Create-Named-Properties

View information store status

ms-Exch-Store-Visible

Send-As

Send-As

Receive-As

Receive-As

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft