Export (0) Print
Expand All
1 out of 2 rated this helpful - Rate this topic

Exchange 2013 Deployment Permissions Reference

 

Applies to: Exchange Server 2013

Topic Last Modified: 2013-08-05

This topic describes the permissions that are required to set up a Microsoft Exchange Server 2013 organization. The universal security groups (USGs) that are associated with management role groups, and other Windows security groups and security principals, are added to the access control lists (ACLs) of various Active Directory objects. ACLs control what operations can be performed on each object. By understanding what permissions are granted to each role group, security group, or security principal, you can determine what minimum permissions are required to install Exchange 2013.

In some cases, the ACL isn't applied on the usual property, ntSecurityDescriptor, but on another property, such as msExchMailboxSecurityDescriptor. The directory service can't enforce security that isn't specified in the Windows security descriptor. In most cases, these ACLs are replicated to store ACLs on appropriate objects by the store service. Unfortunately, there is no tool to view these ACLs as anything other than raw binary data.

The columns of each permissions table include the following information:

  • Account   The security principal granted or denied the permissions.
  • ACE type   Access control entry (ACE) type
    • Allow ACE   An allow ACE allows the user or group associated with the ACE to access an item.
    • Deny ACE   A deny ACE prevents the user or group associated with the ACE from accessing an item.
  • Inheritance   The type of inheritance used for child objects.
    • All indicates that the permissions apply to the object and all sub-objects.
    • Desc indicates the permissions apply to the object class listed in the On Property/Applies To row.
    • None indicates those permissions only apply the object.
  • Permissions   The permissions granted to the account.
  • On Property/Applies To   In some cases, permissions apply only to a given property, property set, or object class. These limited permissions are specified here.
  • Comments   When applicable, this column explains why the permissions are required or provides other information about the permissions.

The permissions are generally listed in the table by the names that are used on the Active Directory Service Interfaces (ADSI) Edit (AdsiEdit.msc) Security property page in the Advanced view on the View/Edit tab. The ADSI Edit Security property page lists a much more condensed view of the permissions. The LDP tool (Ldp.exe) displays the access mask directly as a numeric value. The setup code refers to the permissions by predefined constants.

The following table shows the relationships between these values.

 

ADSI Edit Summary page ADSI Edit Advanced view, View/Edit tab ACL entries applied to a given object Binary value (access mask in LDP)

Full Control

Full Control

WRITE_OWNER | WRITE_DAC | READ_CONTROL | DELETE | ACTRL_DS_CONTROL_ACCESS | ACTRL_DS_LIST_OBJECT | ACTRL_DS_DELETE_TREE | ACTRL_DS_WRITE_PROP | ACTRL_DS_READ_PROP | ACTRL_DS_SELF | ACTRL_DS_LIST | ACTRL_DS_DELETE_CHILD | ACTRL_DS_CREATE_CHILD

0x000F01FF

Read

List Contents + Read All Properties + Read Permissions

ACTRL_DS_LIST | ACTRL_DS_READ_PROP | READ_CONTROL

0x00020014

Write

Write All Properties + All Validated Writes

ACTRL_DS_WRITE_PROP | ACTRL_DS_SELF

0x00000028

 

List Contents

ACTRL_DS_LIST

0x00000004

 

Read All Properties

ACTRL_DS_READ_PROP

0x00000010

 

Write All Properties

ACTRL_DS_WRITE_PROP

0x00000020

 

Delete

DELETE

0x00010000

 

Delete Subtree

ACTRL_DS_DELETE_TREE

0x00000040

 

Read Permissions

READ_CONTROL

0x00020000

 

Modify Permissions

WRITE_DAC

0x00040000

 

Modify Owner

WRITE_OWNER

0x00080000

 

All Validated Writes

ACTRL_DS_SELF

0x00000008

 

All Extended Rights

ACTRL_DS_CONTROL_ACCESS

0x00000100

Create All Child Objects

Create All Child Objects

ACTRL_DS_CREATE_CHILD

0x00000001

Delete All Child Objects

Delete All Child Objects

ACTRL_DS_DELETE_CHILD

0x00000002

 

 

ACTRL_DS_LIST_OBJECT

0x00000080

Extended rights are custom rights specified by individual applications. They are specified in the ACL. However, they are meaningless to Active Directory. The specific application enforces any extended rights. Examples of Exchange extended rights are "Create public folder" or "Create named properties in the information store."

For information about permissions that are set during a Microsoft Exchange Server 2010 installation, see Exchange 2010 Deployment Permissions Reference.

The permissions tables in this section show the permissions set when you execute the Setup /PrepareAD command.

noteNote:
The permissions described in this section are the default permissions that are configured when you deploy Exchange 2013 using the shared permissions model. If you've deployed Exchange 2013 using the Active Directory split permissions model, the default permission are different. For more information on the changes to the default permissions when using Active Directory split permissions and the shared and split permissions models in general, see Active Directory split permissions in Understanding Split Permissions. If you don't choose to use Active Directory split permissions when you install Exchange, Exchange will use shared permissions.

The following table shows the permissions that are set on the Microsoft Exchange container within the configuration partition.

Distinguished name of the object: CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Installation Account

Allow ACE

All

Full Control

 

This is the account that is used to run /PrepareAD.

Organization Management

Allow ACE

All

Full Control

 

 

Exchange Trusted Subsystem

Allow ACE

All

Full Control

 

 

Exchange Servers

Allow ACE

All

Read

 

 

Authenticated Users

Allow ACE

None

Read Property

List Contents

 

 

Exchange Trusted Subsystem

Allow ACE

All

Modify Permissions

msExchSmtpRceiveConnector

 

Public Folder Management

Allow ACE

All

Read

List Object

 

 

Delegated Setup

Allow ACE

All

Read

List Object

 

 

The following table shows the permissions set on the Microsoft Exchange Autodiscover container within the configuration partition.

Distinguished name of the object: CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to

Exchange Servers

Allow ACE

All

Read

 

The permissions tables in this section show the permissions set on the Microsoft Exchange Organization and sub-containers within the configuration partition.

Distinguished name of the object: CN=<organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>

Account(s) ACE type Inheritance Permissions On property/ Applies to Comments

Enterprise Admins

Root Domain Admins

Installation Account

Organization Management

Deny ACE

All

Send As

Receive As

 

Windows administrators aren't allowed to open mailboxes.

Enterprise Admins

Schema Admins

Root Domain Admins

Installation Account

Organization Management

Deny ACE

All

Exchange Web Services Impersonation

Exchange Web Services Token Serialization

 

Extended right

Enterprise Admins

Schema Admins

Root Domain Admins

Installation Account

Deny ACE

All

Store Transport Access

Store Constrained Delegation

Store Read Access

Store Read Write Access

 

 

Local System

Allow

All

All Extended Rights

 

 

Authenticated Users

Deny ACE

Desc

Read Property

msExchAvailabilityUserPassword / msExchAvailabilityAddressSpace

 

Authenticated Users

Allow

None

Read

 

 

Organization Management

Allow ACE

All

Read Permissions

List Contents

Read Property

List Object

 

 

Public Folder Management

Allow ACE

All

Read Permissions

List Contents

Read Property

List Object

 

 

NT Authority\Network Service

Allow ACE

All

Read

 

 

Managed Availability Servers

Allow ACE

All

Read Permissions

List Contents

Read Property

List Object

 

 

Exchange Servers

Allow ACE

All

All Extended Rights

 

 

Exchange Servers

Allow ACE

All

Write Property

groupType

 

Exchange Servers

Allow ACE

All

Write Property

msExchOwningServer

 

Exchange Servers

Allow ACE

All

Write Property

msExchMailboxSecurityDescriptor

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMServerWritableFlags

 

Exchange Servers

Allow ACE

All

Write Property

msExchDatabaseCreated

 

Exchange Servers

Allow ACE

All

Write Property

msExchUserCulture

 

Exchange Servers

Allow ACE

All

Write Property

msExchMobileMailboxFlags

 

Exchange Servers

Allow ACE

All

Write Property

siteFolderGUID

 

Exchange Servers

Allow ACE

All

Write Property

siteFolderServer

 

Exchange Servers

Allow ACE

All

Write Property

msExchEDBOffline

 

Exchange Servers

Allow ACE

All

Write Property

userCertificate

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMDtmfMap

 

Exchange Servers

Allow ACE

All

Write Property

msExchBlockedSendersHash

 

Exchange Servers

Allow ACE

All

Write Property

Personal Information

 

Exchange Servers

Allow ACE

All

Write Property

Public Information

 

Exchange Servers

Allow ACE

All

Write Property

Exchange Information

 

Exchange Servers

Allow ACE

All

Write Property

msExchPatchMDB

 

Exchange Servers

Allow ACE

All

Write Property

publicDelegates

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMSpokenName

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMPinChecksum

 

Exchange Servers

Allow ACE

All

Write Property

legacyExchangeDN

 

Exchange Servers

Allow ACE

All

Write Property

msExchSafeSendersHash

 

Exchange Servers

Allow ACE

All

Write Property

thumbnailPhoto

 

Organization Management

Allow ACE

All

Create top level public folder

 

 

Public Folder Management

Allow ACE

All

Create top level public folder

 

 

Organization Management

Allow ACE

All

View information store status

 

 

Public Folder Management

Allow ACE

All

View information store status

 

 

Organization Management

Allow ACE

All

Administer information store

 

 

Public Folder Management

Allow ACE

All

Administer information store

 

 

Organization Management

Allow ACE

All

Create named properties in the information store

 

 

Public Folder Management

Allow ACE

All

Create named properties in the information store

 

 

Organization Management

Allow ACE

All

Modify public folder ACL

 

 

Public Folder Management

Allow ACE

All

Modify public folder ACL

 

 

Organization Management

Allow ACE

All

Modify public folder quotas

 

 

Public Folder Management

Allow ACE

All

Modify public folder quotas

 

 

Organization Management

Allow ACE

All

Modify public folder admin ACL

 

 

Public Folder Management

Allow ACE

All

Modify public folder admin ACL

 

 

Organization Management

Allow ACE

All

Modify public folder expiry

 

 

Public Folder Management

Allow ACE

All

Modify public folder expiry

 

 

Organization Management

Allow ACE

All

Modify public folder replica list

 

 

Public Folder Management

Allow ACE

All

Modify public folder replica list

 

 

Organization Management

Allow ACE

All

Modify public folder deleted item retention

 

 

Public Folder Management

Allow ACE

All

Modify public folder deleted item retention

 

 

Organization Management

Allow ACE

All

Create public folder

 

 

Public Folder Management

Allow ACE

All

Create public folder

 

 

Public Folder Management

Allow ACE

All

Mail Enable Public Folder

 

 

Everyone

NT Authority\Anonymous Logon

Allow ACE

All

Create named properties in the information store

 

 

Everyone

NT Authority\Anonymous Logon

Allow ACE

All

Create public folder

 

 

Everyone

NT Authority\Anonymous Logon

Allow ACE

Desc

Read Permissions

List Contents

Read Property

List Object

/ msExchPrivateMDB

 

Everyone

NT Authority\Anonymous Logon

Allow ACE

Desc

Read Permissions

List Contents

Read Property

List Object

/ msExchPublicMDB

 

Exchange Servers

Allow ACE

Desc

Read Permissions

List Contents

Read Property

List Object

/ siteAddressing

 

Distinguished name of the object: CN=All Address Lists,CN=Address Lists Container,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to

Authenticated Users

Allow ACE

All

List Contents

 

Organization Management

Allow ACE

All

Write Property

msExchLastAppliedRecipientFilter

msExchRecipientFilterFlags

Public Folder Management

Allow ACE

All

Write Property

msExchLastAppliedRecipientFilter

msExchRecipientFilterFlags

Distinguished name of the object: CN=Offline Address Lists,CN=Address Lists Container, CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to

Authenticated Users

Allow ACE

All

Download Offline Address Book

 

Distinguished name of the object: CN=Addressing,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to

Authenticated users

Allow ACE

All

Read

 

Distinguished name of the object: CN=Recipient Policies,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to

Organization Management

Allow ACE

All

Write Property

msExchLastAppliedRecipientFilter

msExchRecipientFilterFlags

Public Folder Management

Allow ACE

All

Write Property

msExchLastAppliedRecipientFilter

msExchRecipientFilterFlags

The permissions tables in this section show the permissions set by the Setup /PrepareAD command on various containers within the configuration partition.

Distinguished name of the object: CN=Sites,CN=Configuration,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to

Organization Management

Exchange Trusted Subsystem

Allow ACE

All

Write Property

msExchVersion / site

Organization Management

Exchange Trusted Subsystem

Allow ACE

All

Write Property

msExchVersion / site-link

Organization Management

Exchange Trusted Subsystem

Allow ACE

All

Write Property

msExchPartnerId / site

Organization Management

Exchange Trusted Subsystem

Allow ACE

All

Write Property

msExchMinorPartnerId / site

Organization Management

Exchange Trusted Subsystem

Allow ACE

All

Write Property

msExchResponsibleforSites / site

Organization Management

Exchange Trusted Subsystem

Allow ACE

Write Property

msExchTransportSiteFlags / site

Organization Management

Exchange Trusted Subsystem

Allow ACE

All

Write Property

msExchCost / site-link

Organization Management

Exchange Trusted Subsystem

Local System

Exchange Servers

Allow ACE

Desc

Read Permissions

List Contents

Read Property

List Object

/ msExchEdgeSyncEHFConnector

Organization Management

Exchange Trusted Subsystem

Local System

Exchange Servers

Allow ACE

Desc

Read Permissions

List Contents

Read Property

List Object

/ msExchEdgeSyncMservConnector

Organization Management

Exchange Trusted Subsystem

Allow ACE

Children

Create Child

Delete Child

Delete Tree

msExchEdgeSyncServiceConfig / site

Organization Management

Exchange Trusted Subsystem

Local System

Exchange Servers

Allow ACE

Desc

Read Permissions

List Contents

Read Property

List Object

/ msExchEdgeSyncServiceConfig

Organization Management

Exchange Trusted Subsystem

Allow ACE

Children

Create Child

Delete Child

Delete Tree

msExchEdgeSyncMservConnector / msExchEdgeSyncServiceConfig

Organization Management

Exchange Trusted Subsystem

Allow ACE

Children

Create Child

Delete Child

Delete Tree

msExchEdgeSyncEHFConnector / msExchEdgeSyncServiceConfig

Distinguished name of the object: CN=Deleted Objects,CN=Configuration,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Servers

Allow ACE

All

List Contents

 

 

Organization Administration

Allow ACE

All

Read

List Object

 

 

Installation Account

Allow ACE

All

Read Permission

Write Permission

List Contents

Read Property

List Object

 

This is the account that is used to run /PrepareAD.

Exchange Trusted Subsystem

Allow ACE

All

Read

List Object

 

 

Network Service

Allow ACE

All

List Contents

 

 

The Setup /PrepareAD command also configures the following permissions on the administrative groups within the organization.

Distinguished name of the object: CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Organization Management

Allow ACE

Desc

Access Recipient Update Service

msExchExchangeServer

Allows Exchange Recipient Administrators to stamp recipients with proxy address information.

Local System

Allow ACE

Desc

Access Recipient Update Service

msExchExchangeServer

Allows the servers to stamp recipients with proxy address information.

Public Folder Management

Allow ACE

Desc

Access Recipient Update Service

msExchExchangeServer

Allows Exchange Public Folder Administrators to stamp recipients with proxy address information.

Distinguished name of the object: CN=Advanced Security Settings,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to

Authenticated Users

Allow ACE

None

List Contents

 

Distinguished name of the object: CN=Encryption,CN=Advanced Security Settings,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to

Authenticated Users

Allow ACE

None

Read Property

 

Distinguished name of the object: CN=Arrays,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to

Authenticated Users

Allow ACE

None

List Contents

 

Distinguished name of the object: CN=Database Availability Groups,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to

Authenticated Users

Allow ACE

None

List Contents

 

Distinguished name of the object: CN=Databases,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to

Authenticated Users

Allow ACE

None

List Contents

 

Distinguished name of the object: CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Servers

Deny ACE

All

Receive As

 

Exchange Servers aren't allowed to open mailboxes.

Authenticated Users

Allow ACE

None

List Contents

 

 

The permissions tables in this section show the permissions set on the Microsoft Exchange Security Groups container within the root domain partition.

Distinguished name of the object: OU=Microsoft Exchange Security Groups,DC=<root domain>

Account ACE type Inheritance Permissions On property/ Applies to

Organization Management

Allow ACE

All

Full Control

 

Exchange Trusted Subsystem

Allow ACE

All

Create Child

/ Group

Exchange Trusted Subsystem

Allow ACE

Desc

Delete

/ group

Exchange Trusted Subsystem

Allow ACE

Desc

Write Property

Member / group

Distinguished name of the object: CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=<root domain>

Account ACE type Inheritance Permissions On property/ Applies to

Organization Management

Allow ACE

All

Full Control

 

Distinguished name of the object: CN=Public Folder Management,OU=Microsoft Exchange Security Groups,DC=<root domain>

Account ACE type Inheritance Permissions On property/ Applies to

Organization Management

Allow ACE

All

Full Control

 

Distinguished name of the object: CN=ExchangeLegacyInterop,OU=Microsoft Exchange Security Groups,DC=<root domain>

Account ACE type Inheritance Permissions On property/ Applies to

Organization Management

Allow ACE

All

Full Control

 

Distinguished name of the object: CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=<root domain>

Account ACE type Inheritance Permissions On property/ Applies to

Organization Management

Allow ACE

All

Full Control

 

Root Domain Administrators

Allow ACE

All

Read Members

Write Members

 

Child Domain Administrators

Allow ACE

All

Read Members

Write Members

 

The following tables show the permissions set when you execute the Setup /PrepareDomain command.

noteNote:
The permissions described in this section are the default permissions that are configured when you deploy Exchange 2013 using the shared permissions model. If you've deployed Exchange 2013 using the Active Directory split permissions model, the default permission are different. For more information on the changes to the default permissions when using Active Directory split permissions and the shared and split permissions models in general, see Active Directory split permissions in Understanding Split Permissions. If you don't choose to use Active Directory split permissions when you install Exchange, Exchange will use shared permissions.

Distinguished name of the object: DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

All

Read Property

Exchange Information

 

NT AUTHORITY\NETWORK

Allow ACE

All

Read Property

Exchange Personal Information

Grants Transport service read permissions.

Exchange Servers

Allow ACE

All

Write Property

groupType

 

Exchange Servers

Allow ACE

All

Write Property

msExchMailboxSecurityDescriptor

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMServerWritableFlags

 

Exchange Servers

Allow ACE

All

Read Property

Exchange Personal Information

 

Exchange Servers

Allow ACE

All

Read Property

Exchange Information

 

Exchange Servers

Allow ACE

All

Write Property

msExchUserCultulre

 

Exchange Servers

Allow ACE

All

Read Property

memberOf

 

Exchange Servers

Allow ACE

All

Read Property

garbageCollPeriod

 

Exchange Servers

Allow ACE

All

Read Property

userAccountControl

 

Exchange Servers

Allow ACE

All

Read Property

canonicalName

 

Exchange Servers

Allow ACE

All

Replication Synchronization

 

Extended right

Exchange Servers

Allow ACE

All

Create Child

Delete Chile

List Children

msExchActiveSyncDevices / User

 

Exchange Servers

Allow ACE

All

Create Child

Delete Child

List Children

msExchActiveSyncDevices / inetOrgPerson

 

Exchange Servers

Allow ACE

All

Write Property

msExchSafeSendersHash

 

Exchange Servers

Allow ACE

All

Write Property

msExchPublicDelegates

 

Exchange Servers

Allow ACE

All

Write Property

msExchMobileMailboxFlags

 

Exchange Servers

Allow ACE

All

Write Property

msExchSafeRecipientsHash

 

Exchange Servers

Allow ACE

All

Write Property

userCertificate

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMDtmfMap

 

Exchange Servers

Allow ACE

All

Write Property

msExchBlockedSendersHash

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMSpokenName

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMPinChecksum

 

Exchange Servers

Allow ACE

All

Write Property

thumbnailPhoto

 

Organization Management

Allow ACE

All

Read

List Object

 

 

Organization Management

Allow ACE

All

Write Property

Exchange Information

 

Organization Management

Allow ACE

All

Write Property

garbageCollPeriod

 

Organization Management

Allow ACE

All

Write Property

legacyExchangeDN

 

Organization Management

Allow ACE

All

Write Property

msExchPublicDelegates

 

Organization Management

Allow ACE

All

Write Property

textEncodedORAddress

 

Organization Management

Allow ACE

All

Write Property

proxyAddresses

 

Organization Management

Allow ACE

All

Write Property

mail

 

Organization Management

Allow ACE

All

Write Property

displayNamePrintable

 

Organization Management

Allow ACE

All

Write Property

showInAddressBook

 

Organization Management

Allow ACE

All

Write Property

Exchange Personal Information

 

Organization Management

Allow ACE

All

Full Control

/ msExchDynamicDistributionList

 

Organization Management

Allow ACE

All

Write Property

adminDisplayName

 

Organization Management

Allow ACE

All

Write Property

displayName

 

Exchange Trusted Subsystem

Allow ACE

All

Read

List Object

 

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

displayName

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

Public Information

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

msExchPublicDelegates

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

adminDisplayName

 

Exchange Trusted Subsystem

Allow ACE

All

Full Control

/ msExchDynamicDistributionList

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

Exchange Information

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

Exchange Personal Information

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

garbageCollPeriod

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

textEncodedORAddress

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

showInAddressBook

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

legacyExchangeDN

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

Personal Information

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

proxyAddresses

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

displayNamePrintable

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

mail

 

Exchange Windows Permissions

Allow ACE

All

Write Property

pwdLastSet

 

Exchange Windows Permissions

Allow ACE

All

WriteDACL

/ user

 

Exchange Windows Permissions

Allow ACE

All

WriteDACL

/ inetOrgPerson

 

Exchange Windows Permissions

Allow ACE

All

Delete Tree

/ user

 

Exchange Windows Permissions

Allow ACE

All

Delete Tree

/ inetOrgPerson

 

Exchange Windows Permissions

Allow ACE

All

Write Property

sAMAccountName

 

Exchange Windows Permissions

Allow ACE

All

Create Child

Delete

/ contact

 

Exchange Windows Permissions

Allow ACE

All

Create Child

Delete

/ inetOrgPerson

 

Exchange Windows Permissions

Allow ACE

All

Create Child

Delete

/ user

 

Exchange Windows Permissions

Allow ACE

All

Create Child

Delete

/ organizationUnit

 

Exchange Windows Permissions

Allow ACE

All

Create Child

Delete

/ group

 

Exchange Windows Permissions

Allow ACE

All

Create Child

Delete Child

/ computer

 

Exchange Windows Permissions

Allow ACE

All

Write Property

Member

 

Exchange Windows Permissions

Allow ACE

All

Write Property

wwwHomePage

 

Exchange Windows Permissions

Allow ACE

All

Write Property

countryCode

 

Exchange Windows Permissions

Allow ACE

All

Write Property

userAccountControl

 

Exchange Windows Permissions

Allow ACE

All

Write Property

managedBy

 

Exchange Windows Permissions

Allow ACE

All

Reset Password on Next Logon

 

Extended right

Exchange Windows Permissions

Allow ACE

All

Change Password

 / user

Extended right

Delegated Setup

Allow ACE

All

Read Property

User Account Restrictions

 

Distinguished name of the object: CN=AdminSDHolder,CN=System,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

All

Read Property

Exchange Information

 

NT AUTHORITY\NETWORK

Allow ACE

All

Read Property

Exchange Personal Information

Grants Transport service read permissions.

Exchange Servers

Allow ACE

All

Write Property

groupType

 

Exchange Servers

Allow ACE

All

Write Property

msExchMailboxSecurityDescriptor

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMServerWritableFlags

 

Exchange Servers

Allow ACE

All

Read Property

Exchange Personal Information

 

Exchange Servers

Allow ACE

All

Read Property

Exchange Information

 

Exchange Servers

Allow ACE

All

Write Property

msExchUserCultulre

 

Exchange Servers

Allow ACE

All

Read Property

memberOf

 

Exchange Servers

Allow ACE

All

Read Property

garbageCollPeriod

 

Exchange Servers

Allow ACE

All

Read Property

userAccountControl

 

Exchange Servers

Allow ACE

All

Read Property

canonicalName

 

Exchange Servers

Allow ACE

All

Replication Synchronization

 

Extended right

Exchange Servers

Allow ACE

All

Create Child

Delete Chile

List Children

msExchActiveSyncDevices / User

 

Exchange Servers

Allow ACE

All

Create Child

Delete Child

List Children

msExchActiveSyncDevices / inetOrgPerson

 

Exchange Servers

Allow ACE

All

Write Property

msExchSafeSendersHash

 

Exchange Servers

Allow ACE

All

Write Property

msExchPublicDelegates

 

Exchange Servers

Allow ACE

All

Write Property

msExchMobileMailboxFlags

 

Exchange Servers

Allow ACE

All

Write Property

msExchSafeRecipientsHash

 

Exchange Servers

Allow ACE

All

Write Property

userCertificate

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMDtmfMap

 

Exchange Servers

Allow ACE

All

Write Property

msExchBlockedSendersHash

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMSpokenName

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMPinChecksum

 

Exchange Servers

Allow ACE

All

Write Property

thumbnailPhoto

 

Organization Management

Allow ACE

All

Read

List Object

 

 

Organization Management

Allow ACE

All

Write Property

Exchange Information

 

Organization Management

Allow ACE

All

Write Property

garbageCollPeriod

 

Organization Management

Allow ACE

All

Write Property

legacyExchangeDN

 

Organization Management

Allow ACE

All

Write Property

msExchPublicDelegates

 

Organization Management

Allow ACE

All

Write Property

textEncodedORAddress

 

Organization Management

Allow ACE

All

Write Property

proxyAddresses

 

Organization Management

Allow ACE

All

Write Property

mail

 

Organization Management

Allow ACE

All

Write Property

displayNamePrintable

 

Organization Management

Allow ACE

All

Write Property

showInAddressBook

 

Organization Management

Allow ACE

All

Write Property

Exchange Personal Information

 

Organization Management

Allow ACE

All

Full Control

/ msExchDynamicDistributionList

 

Organization Management

Allow ACE

All

Write Property

adminDisplayName

 

Organization Management

Allow ACE

All

Write Property

displayName

 

Exchange Trusted Subsystem

Allow ACE

All

Read

List Object

 

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

displayName

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

Public Information

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

msExchPublicDelegates

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

adminDisplayName

 

Exchange Trusted Subsystem

Allow ACE

All

Full Control

/ msExchDynamicDistributionList

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

Exchange Information

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

Exchange Personal Information

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

garbageCollPeriod

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

textEncodedORAddress

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

showInAddressBook

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

legacyExchangeDN

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

Personal Information

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

proxyAddresses

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

displayNamePrintable

 

Exchange Trusted Subsystem

Allow ACE

All

Write Property

mail

 

Exchange Windows Permissions

Allow ACE

All

Write Property

pwdLastSet

 

Exchange Windows Permissions

Allow ACE

All

Write Property

sAMAccountName

 

Exchange Windows Permissions

Allow ACE

All

Write Property

Member

 

Exchange Windows Permissions

Allow ACE

All

Write Property

wwwHomePage

 

Exchange Windows Permissions

Allow ACE

All

Write Property

countryCode

 

Exchange Windows Permissions

Allow ACE

All

Write Property

userAccountControl

 

Exchange Windows Permissions

Allow ACE

All

Write Property

managedBy

 

Delegated Setup

Allow ACE

All

Read Property

User Account Restrictions

 

Distinguished name of the object: CN=Deleted Objects,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to

Exchange Servers

Allow ACE

All

List Contents

 

Distinguished name of the object: CN=Microsoft Exchange System Objects,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to

NT AUTHORITY\NETWORK

Allow ACE

All

Read Property

List Contents

Read Permissions

 

Authenticated Users

Allow ACE

All

Read Permissions

 

Authenticated Users

Allow ACE

All

Read Property

garbageCollPeriod

Authenticated Users

Allow ACE

All

Read Property

adminDisplayName

Authenticated Users

Allow ACE

All

Read Property

modifyTimeStamp

Exchange Servers

Deny ACE

All

Delete Tree

 

Exchange Servers

Allow ACE

All

Read Permissions

List Contents

Read PropertyDelete Tree

 

Exchange Servers

Allow ACE

All

Create Child

/ msExchSystemMailbox

Exchange Servers

Allow ACE

All

Create Child

Delete Child

/ publicFolder

Exchange Servers

Allow ACE

All

Create Child

/ user

Exchange Servers

Allow ACE

All

Delete Child

/ msExchSystemMailbox

Exchange Servers

Allow ACE

All

Delete Child

/ user

Exchange Servers

Allow ACE

Desc

Write Property

/ publicFolder

Exchange Servers

Allow ACE

Desc

Write Property

/ msExchSystemMailbox

Exchange Servers

Allow ACE

Desc

Write Property

/ user

Exchange Servers

Allow ACE

Desc

Change Password

Reset Password on Next Logon

/ user

Organization Management

Allow ACE

All

Read Permissions

List Contents

Read Property

 

Organization Management

Allow ACE

Desc

Write Property

/ msExchSystemMailbox

Organization Management

Allow ACE

All

Create Child

Delete Child

/ msExchSystemMailbox

Organization Management

Allow ACE

Desc

Write Property

/ user

Organization Management

Allow ACE

All

Create Child

Delete Child

/ user

Organization Management

Allow ACE

Desc

Read Property

Write Property

mail / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

displayNamePrintable / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

displayName / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

textEncodedORAddress / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

proxyAddresses / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

cn / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

showInAddressBook / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

Exchange Information / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

legacyExchangeDN / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

Exchange Personal Information / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

msDSPhoneticDisplayName / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

msExchPFContacts / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

garbageCollPeriod / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

name / publicFolder

Organization Management

Allow ACE

Desc

Read Property

Write Property

msExchPublicDelegates / publicFolder

Public Folder Management

Allow ACE

All

Read Permissions

List Contents

Read Property

 

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

mail / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

displayNamePrintable / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

displayName / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

textEncodedORAddress / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

proxyAddresses / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

cn / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

showInAddressBook / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

Exchange Information / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

legacyExchangeDN / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

Exchange Personal Information / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

msDSPhoneticDisplayName / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

msExchPFContacts / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

garbageCollPeriod / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

name / publicFolder

Public Folder Management

Allow ACE

Desc

Read Property

Write Property

msExchPublicDelegates / publicFolder

Exchange Trusted Subsystem

Allow ACE

All

Read Permissions

List Contents

Read Property

 

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

mail / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

displayNamePrintable / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

displayName / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

textEncodedORAddress / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

proxyAddresses / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

cn / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

showInAddressBook / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

Exchange Information / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

legacyExchangeDN / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

Exchange Personal Information / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

msDSPhoneticDisplayName / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

msExchPFContacts / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

garbageCollPeriod / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

name / publicFolder

Exchange Trusted Subsystem

Allow ACE

Desc

Read Property

Write Property

msExchPublicDelegates / publicFolder

Distinguished name of the object: CN=Exchange Install Domain Servers,CN=Microsoft Exchange System Objects,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to

Organization Management

Allow ACE

All

Full Control

 

During installation of the Client Access and Mailbox server roles, Setup adds the Organization Management USG to the administrator security group on the local computer so that members of the management role group named Organization Management can manage the server.

The following permissions table shows the permissions set when you install the Client Access or Mailbox server roles.

Distinguished name of the object: CN=<server>,CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

MACHINE$

Allow ACE

All

Read Permissions

List Contents

Read Property

List Object

 

 

MACHINE$

Allow ACE

None

Write Property

msExchServerSite

msExchEdgeSyncCredential

 

Exchange Servers

Allow ACE

All

Store Transport Access

Store Constrained Delegation

Store Read Only Access

Store Read and Write Access

 

Extended rights

NT AUTHORITY\NETWORK

Allow ACE

All

Exchange Web Services Token Serialization

 

Extended right

Only granted on Mailbox server role objects.

NT AUTHORITY\NETWORK

Allow ACE

All

Read Permissions

List Contents

Read Property

List Object

 

 

Local System

Allow ACE

All

Read Permissions

List Contents

Read Property

List Object

 

 

Delegated Setup

Allow ACE

All

Full Control

 

 

Delegated Setup

Deny ACE

All

Create Child

Delete Child

/ msExchPublicMDB

 

Authenticated Users

Allow ACE

All

Read Property

 

 

Delegated Setup

Deny ACE

All

Receive As

Send As

 

Extended right

The permissions tables in this section show the permissions set with regards to the database availability groups and its members.

Distinguished name of the object: CN=<DAGName>,CN=Database Availability Groups,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to

Authenticated Users

Allow ACE

None

Read Property

 

If you install an Edge Transport server and establish an Edge Subscription with the Exchange organization, the permissions in the following permissions table are set when the Edge Transport server is instantiated into the organization.

Distinguished name of the object: CN=<server>,CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Servers

Allow ACE

All

Write Property

 

 

Authenticated Users

Allow ACE

None

Read Properties

 

ACE is defined in schema for msExchExchangeServer class objects defaultSecurityDescriptor.

During installation of the first Mailbox server, the following containers are created, if they do not already exist. The following permissions table shows the permissions that are applied.

Distinguished name of the object: CN=Availability Configuration,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Servers

Allow ACE

Desc

Read Property

msExchAvailabilityUserPassword / msExchAvailabilityAddressSpaceObjects

Extended right

Distinguished name of the object: CN=Default <Server>,CN=SMTP Receive Connectors,CN=Protocols,CN=<Server>,CN=Servers,CN=<admin group>,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

ExchangeLegacyInterop

Deny ACE

All

Accept Forest Headers

 

 

ExchangeLegacyInterop

Deny ACE

All

Accept Organization Headers

 

 

Exchange Servers

Allow ACE

All

Accept Any Sender

 

 

ExchangeLegacyInterop

Allow ACE

All

Accept Any Sender

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Any Sender

 

This is the well-known security identifier (SID) for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Any Sender

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Any Sender

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept EXCH50

 

 

ExchangeLegacyInterop

Allow ACE

All

Accept EXCH50

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept EXCH50

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept EXCH50

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept EXCH50

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Submit Messages to any Recipient

 

 

ExchangeLegacyInterop

Allow ACE

All

Submit Messages to any Recipient

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Submit Messages to any Recipient

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Submit Messages to any Recipient

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Submit Messages to any Recipient

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept XShadow

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept XShadow

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Accept Routing Headers

 

 

ExchangeLegacyInterop

Allow ACE

All

Accept Routing Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Routing Headers

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Routing Headers

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Routing Headers

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept XSessionParams

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept XSessionParams

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept XSessionParams

 

This is the well-known SID for Mailbox servers.

Exchange Servers

Allow ACE

All

Accept Forest Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Forest Headers

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Forest Headers

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Accept xAttr

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept xAttr

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept xAttr

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Accept XProxyFrom

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Forest XProxyFrom

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Forest XProxyFrom

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Accept XSysProbe

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Forest XSysProbe

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Forest XSysProbe

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Send XMessageContext Extended Properties

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send XMessageContext Extended Properties

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send XMessageContext Extended Properties

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Send XMessageContext Fast Index

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send XMessageContext Fast Index

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send XMessageContext Fast Index

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Send XMessageContext AD Recipient Cache

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send XMessageContext AD Recipient Cache

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send XMessageContext AD Recipient Cache

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Accept Authentication Flag

 

 

ExchangeLegacyInterop

Allow ACE

All

Accept Authentication Flag

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Authentication Flag

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Authentication Flag

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Authentication Flag

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Bypass Anti-Spam

 

 

ExchangeLegacyInterop

Allow ACE

All

Bypass Anti-Spam

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Bypass Anti-Spam

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Bypass Anti-Spam

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Bypass Anti-Spam

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Bypass Message Size Limit

 

 

ExchangeLegacyInterop

Allow ACE

All

Bypass Message Size Limit

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Bypass Message Size Limit

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Bypass Message Size Limit

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Bypass Message Size Limit

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept Organization Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Organization Headers

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Organization Headers

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Submit Messages to Server

 

 

ExchangeLegacyInterop

Allow ACE

All

Submit Messages to Server

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Submit Messages to Server

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Submit Messages to Server

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Submit Messages to Server

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept Authoritative Domain Sender

 

 

ExchangeLegacyInterop

Allow ACE

All

Accept Authoritative Domain Sender

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Authoritative Domain Sender

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Authoritative Domain Sender

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Authoritative Domain Sender

 

This is the well-known SID for externally secured servers.

Authenticated Users

Allow ACE

All

Submit Messages to any Recipient

 

 

Authenticated Users

Allow ACE

All

Accept Routing Headers

 

 

Authenticated Users

Allow ACE

All

Bypass Anti-Spam

 

 

Authenticated Users

Allow ACE

All

Submit Messages to Server

 

 

Distinguished name of the object: CN=Client <Server>,CN=SMTP Receive Connectors,CN=Protocols,CN=<Server>,CN=Servers,CN=<admin group>,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

All

Submit Messages to any Recipient

 

 

Authenticated Users

Allow ACE

All

Accept Routing Headers

 

 

Authenticated Users

Allow ACE

All

Bypass Anti-Spam

 

 

Authenticated Users

Allow ACE

All

Submit Messages to Server

 

 

Exchange Servers

Allow ACE

All

Accept XSessionParams

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept XSessionParams

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept XSessionParams

 

This is the well-known SID for Mailbox servers.

Exchange Servers

Allow ACE

All

Accept Any Sender

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Any Sender

 

This is the well-known security identifier (SID) for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Any Sender

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Any Sender

 

This is the well-known SID for externally secured servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Exch50

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Exch50

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Exch50

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept Exch50

 

 

Exchange Servers

Allow ACE

All

Submit Messages to any Recipient

 

 

ExchangeLegacyInterop

Allow ACE

All

Submit Messages to any Recipient

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Submit Messages to any Recipient

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Submit Messages to any Recipient

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Submit Messages to any Recipient

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept XShadow

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept XShadow

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Accept Routing Headers

 

 

ExchangeLegacyInterop

Allow ACE

All

Accept Routing Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Routing Headers

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Routing Headers

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Routing Headers

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept Forest Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Forest Headers

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Forest Headers

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Accept xAttr

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept xAttr

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept xAttr

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Accept XProxyFrom

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Forest XProxyFrom

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Forest XProxyFrom

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Accept Authentication Flag

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Authentication Flag

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Authentication Flag

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Authentication Flag

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept XSysProbe

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Forest XSysProbe

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Forest XSysProbe

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Authentication Flag

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Bypass Anti-Spam

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Bypass Anti-Spam

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Bypass Anti-Spam

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Bypass Anti-Spam

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Send XMessageContext Extended Properties

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send XMessageContext Extended Properties

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send XMessageContext Extended Properties

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Send XMessageContext Fast Index

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send XMessageContext Fast Index

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send XMessageContext Fast Index

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Bypass Message Size Limit

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Bypass Message Size Limit

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Bypass Message Size Limit

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Bypass Message Size Limit

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept Organization Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Organization Headers

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Organization Headers

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Send XMessageContext AD Recipient Cache

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send XMessageContext AD Recipient Cache

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send XMessageContext AD Recipient Cache

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Submit Messages to Server

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Submit Messages to Server

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Submit Messages to Server

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Submit Messages to Server

 

This is the well-known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept Authoritative Domain Sender

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Authoritative Domain Sender

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Authoritative Domain Sender

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Authoritative Domain Sender

 

This is the well-known SID for externally secured servers.

 

 

The following table shows the permissions set when you create Send connectors.

Distinguished name of the object: CN=<Connector Name>,CN=Connections,CN=<routing group>,CN=Routing Groups, CN=<admin group>,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

NT AUTHORITY\ANONYMOUS LOGON

Allow ACE

All

Send Routing Headers

 

 

Exchange Servers

Allow ACE

All

Send Organization Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send Organization Headers

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send Organization Headers

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Send Forest Headers

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send Forest Headers

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send Forest Headers

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Send XShadow

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send XShadow

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send XShadow

 

This is the well-known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Send Routing Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-10

Allow ACE

All

Send Routing Headers

 

This is the well-known SID for partner servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send Routing Headers

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send Routing Headers

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Send Routing Headers

 

This is the well-known SID for externally secured servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-24

Allow ACE

All

Send Routing Headers

 

This is the well-known SID for Legacy Exchange Servers.

Exchange Servers

Allow ACE

All

Send Exch50

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send Exch50

 

This is the well-known SID for Mailbox servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send Exch50

 

This is the well-known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Send Exch50

 

This is the well-known SID for externally secured servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-24

Allow ACE

All

Send Exch50

 

This is the well-known SID for Legacy Exchange Servers.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.