Access Control

  • Article

 

To manage Exchange related-attributes on objects within the domain naming contexts of the forest, modify permissions must be granted to the Exchange Administrators group. This is accomplished by modifying the security descriptor on the object containing the attributes.

A security descriptor contains two access control lists (ACLs). An ACL is a list of user or security group objects that have access or are denied access to a resource or object. ACLs allow granular permissions to be applied to the entire object, a set of the object's properties, or to an individual property of an object. Two types of access control lists are within an object's security descriptor:

  • **Discretionary access control lists (DACLs)   **DACLs identify the users and groups that are assigned or denied access permissions on an object. If a DACL does not explicitly identify a user, or any groups that a user is a member of, the user will be denied access to that object. By default, a DACL is controlled by the owner of an object or the person who created the object, and it contains access control entries that determine user access to the object.

  • **System access control lists (SACLs)   **SACLs identify the users and groups that you want to audit when they successfully access or fail to access an object. By default, a SACL is controlled by the owner of an object or the person who created the object. A SACL contains access control entries that determine whether to record a successful or failed attempt by a user to access a object using a given permission, for example, Full Control and Read.

An access control entry (ACE) is an entry in an object's DACL that grants permissions to a user or group. An ACE is also an entry in an object's SACL that specifies the security events that are to be audited for a user or group.