Understanding the Types of Permissions That Control Access to Mailboxes and Public Folders

 

The access control lists (ACLs) on public folders, mailboxes, and the messages that they contain use Microsoft Windows® 2000 permissions to control access (with several additional permissions that are specific to Exchange). This is a change from Microsoft Exchange 5.5, in which the ACLs used MAPI permissions. Exchange 2003 substitutes MAPI permissions for Windows 2000 permissions in the following circumstances:

  • When communicating with MAPI-based client applications, such as Microsoft Outlook®. In this case, Exchange converts the permissions to MAPI permissions when displaying them to the user. If the user modifies the permissions, Exchange converts them back to Windows 2000 permissions to save them.

  • When replicating data to Exchange 5.5 servers in a deployment that contains coexisting servers that run Exchange 5.5 and servers that run Exchange 2003. Because Exchange 5.5 servers only use MAPI permissions, Exchange 2003 replicates permissions to them in the MAPI format. When the permissions replicate back to Exchange 2003 servers, Exchange 2003 converts them to the Windows 2000 format before saving them.

    Note

    Both of these circumstances apply to mailboxes and to public folders in the Public Folders tree (and all the folders and messages contained in it). Folders and messages in general-purpose public folder trees cannot be accessed by MAPI-based clients and are not replicated to Exchange 5.5 servers. Therefore, Exchange always uses Windows 2000 permissions with these folders and messages. For more information about the differences between the Public Folders tree and general-purpose public folder trees, see "Configuring Public Folder Stores."

Exchange handles all conversions between Windows 2000 permissions and MAPI permissions automatically. However, as an administrator, be aware that when you use Exchange System Manager to set permissions, you may have to work with either Windows 2000 permissions or MAPI permissions, depending on the type of object you are securing.