Permissions on Objects in the Exchange Configuration Tree
cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During ForestPrep phase |
||||||
Authenticated Users |
X |
List Contents Read All Properties |
Not applicable |
Allows DomainPrep to read Full Org Admins |
||
Designated admin account |
X |
X |
Full Control |
Not applicable |
Allows Full Org Admin to administer organization |
|
During server install |
||||||
Exchange Domain Servers |
X |
X |
Read Permissions Read All Properties List Contents |
Not applicable |
Allows Exchange servers to read configuration information |
|
During ADC setup |
||||||
Exchange Services |
X |
X |
Full Control |
Not applicable |
Allows ADC servers to create/delete objects to keep Exchange configuration up-to-date. |
cn=Active Directory Connections,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During server install |
||||||
Exchange Domain Servers |
X |
X |
Full Control |
Not applicable |
None |
cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During ForestPrep phase |
||||||
Authenticated Users |
X |
Read All Properties ACTRL_DS_LIST_OBJECT |
Not applicable |
Allows DomainPrep to read Full Org Admins. |
||
Designated admin account |
X |
X |
Send As |
Not applicable |
Exchange admins are not allowed to open mailboxes. |
|
Designated admin account |
X |
X |
Receive As |
Not applicable |
Exchange admins are not allowed to open mailboxes. |
|
During server install |
||||||
Enterprise Admins |
X |
X |
Send As |
Not applicable |
Windows NT admins are not allowed to open mailboxes. |
|
Enterprise Admins |
X |
X |
Receive As |
Not applicable |
Windows NT admins are not allowed to open mailboxes. |
|
Domain Admins of root domain |
X |
X |
Send As |
Not applicable |
Windows NT admins are not allowed to open mailboxes. |
|
Domain Admins of root domain |
X |
X |
Receive As |
Not applicable |
Windows NT admins are not allowed to open mailboxes. |
|
Everyone |
X |
X |
Create top-level public folder |
Not applicable |
This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model. |
|
Everyone |
X |
X |
Create public folder |
Not applicable |
None |
|
Everyone |
X |
X |
Create named properties in the information store |
Not applicable |
None |
|
Everyone |
X |
X |
Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT |
Applies to object class: msExchPrivateMDB |
None |
|
Everyone |
X |
X |
Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT |
Applies to object class: msExchPublicMDB |
None |
|
Everyone* |
X |
X |
Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT |
Applies to object class: mTA |
This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model. |
|
Anonymous Logon |
X |
X |
Create top-level public folder |
Not applicable |
This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model. |
|
Anonymous Logon |
X |
X |
Create public folder |
Not applicable |
In Microsoft Windows Server 2003™, "Everyone" no longer includes "Anonymous Logon," so these rights are granted explicitly. |
|
Anonymous Logon |
X |
X |
Create named properties in the information store |
Not applicable |
None |
|
Anonymous Logon |
X |
X |
Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT |
Applies to object class: msExchPrivateMDB |
None |
|
Anonymous Logon |
X |
X |
Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT |
Applies to object class: msExchPublicMDB |
None |
|
Anonymous Logon |
X |
X |
Read Permissions Read All Properties List Contents ACTRL_DS_LIST_OBJECT |
Applies to object class: mTA |
This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model. |
|
Exchange Domain Servers |
X |
X |
All Extended Rights |
Not applicable |
None |
|
Exchange Domain Servers |
X |
X |
Create All Child Objects |
Not applicable |
None |
|
Exchange Domain Servers |
X |
X |
Write Property |
Property Set: Public Information |
Maintain mail-enabled configuration objects (for example, MAD). |
|
Exchange Domain Servers |
X |
X |
Write Property |
Property Set: Personal Information |
Maintain mail-enabled configuration objects (for example, MAD). |
|
Exchange Domain Servers |
X |
X |
Full Control |
Applies to object class: siteAddressing |
None |
|
When enabling a Site Replication Service (ACE is removed when SRS is disabled.) |
||||||
MACHINE$ |
X |
X |
Create All Child Objects Delete All Child Objects ACTRL_DS_LIST_OBJECT |
Not applicable |
SRS must be able to create/delete admin groups. |
cn=Address Lists Container,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During server install |
||||||
Authenticated Users |
X |
X |
List Contents |
Not applicable |
None |
cn=Addressing,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During server install |
||||||
Authenticated Users |
X |
X |
List Contents Read All Properties Read Permissions |
Not applicable |
None |
cn=Recipient Update Services,cn=Address Lists Container,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration...
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During server install |
||||||
Exchange Domain Servers |
X |
X |
Full Control |
Not applicable |
None |
cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During server install (set on attribute msExchPFDefaultAdminACL) |
||||||
Authenticated Users |
X |
X |
Create public folder |
Not applicable |
None |
cn=Public Folders,cn=All Folder Hierarchies,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange...
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During server install (set on attribute msExchPFDefaultAdminACL) |
||||||
Authenticated Users |
X |
X |
Create public folder |
Not applicable |
None |
cn=Connections,cn=<routing group>,cn=Routing Groups,cn=<admin group>,cn=Administrative Groups,cn=<org>...
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During server install |
||||||
Exchange Domain Servers |
X |
X |
Full Control |
Not applicable |
None |
cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services...
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During server install, or during Exchange ForestPrep |
||||||
Exchange Domain Servers |
X |
X |
Receive As |
Not applicable |
No server needs to read mail except on its own MDBs. |
|
During server install (ACEs defined in schema defaultSecurityDescriptor) |
||||||
Authenticated Users |
X |
List Contents |
Not applicable |
None |
cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services...
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During server install (if the server is not a cluster virtual machine) |
||||||
MACHINE$ |
X |
X |
Full Control |
Not applicable |
Server must be able to maintain its configuration. |
|
During server install (if the server is a cluster virtual machine) |
||||||
NODE1$ NODE2$ etc... |
X |
X |
Full Control |
Not applicable |
Every node in a cluster that owns a virtual machine (VM) must be able to maintain the VM configuration. |
|
Exchange Domain Servers |
X |
X |
Full Control |
Not applicable |
This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model. VM must be able to maintain its own configuration, but Setup can't tell which specific server to grant control to. |
|
During server install (ACEs defined in schema defaultSecurityDescriptor) |
||||||
Authenticated Users |
X |
Read Properties |
Not applicable |
None |
||
When EDSLOCK script is run; ACE is removed by Exchange ForestPrep |
||||||
Exchange Domain Servers |
X |
X |
Receive As |
Not applicable |
This permission was removed by Exchange Server 2003 Setup. This permission was set in Exchange 2000 Server, but has since been deprecated from the security model. No server needs to read mail except on its own MDBs. |
cn=Protocols,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange...
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During server install |
||||||
Everyone |
X |
X |
List Contents |
Not applicable |
None |
|
Everyone |
X |
X |
Read metabase properties |
Not applicable |
None |
cn=Microsoft System Attendant,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>...
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During server install (set on attribute msExchMailboxSecurityDescriptor) |
||||||
LocalSystem |
X |
X |
Read Permissions fsdspermUserSendAs fsdspermUserMailboxOwner |
Not applicable |
None |
|
Exchange Domain Servers |
X |
X |
Read Permissions fsdspermUserSendAs fsdspermUserMailboxOwner |
Not applicable |
None |
|
5.5 Service Account (if given) |
X |
X |
Read Permissions fsdspermUserSendAs fsdspermUserMailboxOwner |
Not applicable |
None |
cn=Microsoft MTA,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>...
| Account | A | D | I | Right | On Property/Applies To | Comments |
|---|---|---|---|---|---|---|
During server install or when enabling an SRS |
||||||
5.5 Service Account (if given) |
X |
X |
Send As |
Not applicable |
Required to send/receive mail from servers running Exchange Server 5.5. |
|
5.5 Service Account (if given) |
X |
X |
Receive As |
Not applicable |
Required to send/receive mail from servers running Exchange Server 5.5. |