Exchange 2010 Deployment Permissions Reference
This topic describes the permissions that are required to set up a Microsoft Exchange Server 2010 organization. The universal security groups (USGs) that are associated with management role groups, and other Windows security groups and security principals, are added to the access control lists (ACLs) of various Active Directory objects. ACLs control what operations can be performed on each object. By understanding what permissions are granted to each role group, security group, or security principal, you can determine what minimum permissions are required to install Exchange 2010.
In some cases, the ACL isn't applied on the usual property, ntSecurityDescriptor, but on another property, such as msExchMailboxSecurityDescriptor. The directory service can't enforce security that isn't specified in the Windows security descriptor. In most cases, these ACLs are replicated to store ACLs on appropriate objects by the store service. Unfortunately, there is no tool to view these ACLs as anything other than raw binary data.
The columns of each permissions table include the following information:
- Account The security principal granted or denied the permissions.
- ACE type Access control entry (ACE) type
- Allow ACE An allow ACE allows the user or group associated with the ACE to access an item.
- Deny ACE A deny ACE prevents the user or group associated with the ACE from accessing an item.
- Inheritance The type of inheritance used for child objects.
- All indicates that the permissions apply to the object and all sub-objects.
- Desc indicates the permissions apply to the object class listed in the On Property/Applies To row.
- None indicates those permissions only apply the object.
- Permissions The permissions granted to the account.
- On Property/Applies To In some cases, permissions apply only to a given property, property set, or object class. These limited permissions are specified here.
- Comments When applicable, this column explains why the permissions are required or provides other information about the permissions.
The permissions are generally listed in the table by the names that are used on the Active Directory Service Interfaces (ADSI) Edit (AdsiEdit.msc) Security property page in the Advanced view on the View/Edit tab. The ADSI Edit Security property page lists a much more condensed view of the permissions. The LDP tool (Ldp.exe) displays the access mask directly as a numeric value. The setup code refers to the permissions by predefined constants.
The following table shows the relationships between these values.
ADSI Edit Summary page | ADSI Edit Advanced view, View/Edit tab | ACL entries applied to a given object | Binary value (access mask in LDP) |
---|---|---|---|
Full Control |
Full Control |
|
|
Read |
List Contents + Read All Properties + Read Permissions |
|
|
Write |
Write All Properties + All Validated Writes |
|
|
|
List Contents |
|
|
|
Read All Properties |
|
|
|
Write All Properties |
|
|
|
Delete |
|
|
|
Delete Subtree |
|
|
|
Read Permissions |
|
|
|
Modify Permissions |
|
|
|
Modify Owner |
|
|
|
All Validated Writes |
|
|
|
All Extended Rights |
|
|
Create All Child Objects |
Create All Child Objects |
|
|
Delete All Child Objects |
Delete All Child Objects |
|
|
|
|
|
|
Extended rights are custom rights specified by individual applications. They are specified in the ACL. However, they are meaningless to Active Directory. The specific application enforces any extended rights. Examples of Exchange extended rights are "Create public folder" or "Create named properties in the information store."
Note
For information about permissions that are set during a Microsoft Exchange Server 2003 installation, see Working with Active Directory Permissions in Exchange Server 2003. For information about permissions that are set during a Microsoft Exchange Server 2007 installation, see Exchange 2007 Setup Permissions Reference.
Prepare Legacy Exchange Permissions
The permissions tables in this section show the permissions set when you execute the setup /PrepareLegacyExchangePermissions
command.
Distinguished name of the object: DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Exchange Enterprise Servers |
Allow ACE |
All |
Write Property |
Exchange Information |
Authenticated Users |
Allow ACE |
All |
Read Property |
Exchange Information |
Distinguished name of the object: CN=AdminSDHolder,CN=System,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Exchange Enterprise Servers |
Allow ACE |
All |
Read Property Write Property |
Exchange Information |
Distinguished name of the object: CN=<organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Exchange Domain Servers |
Allow ACE |
All |
Write Property |
Exchange Information |
Prepare Active Directory Permissions
The permissions tables in this section show the permissions set when you execute the Setup /PrepareAD
command.
Microsoft Exchange Container Permissions
The following table shows the permissions that are set on the Microsoft Exchange container within the configuration partition.
Distinguished name of the object: CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Installation Account |
Allow ACE |
All |
Full Control |
|
This is the account that is used to run |
Organization Management |
Allow ACE |
All |
Full Control |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Full Control |
|
|
Exchange Servers |
Allow ACE |
All |
Read |
|
|
Authenticated Users |
Allow ACE |
None |
Read Property List Contents |
|
|
Public Folder Management |
Allow ACE |
All |
Read Permissions List Contents Read Property List Object |
|
|
Delegated Setup |
Allow ACE |
All |
Read Permissions List Contents Read Property List Object |
|
|
Microsoft Exchange Autodiscover Container Permissions
The following table shows the permissions set on the Microsoft Exchange Autodiscover container within the configuration partition.
Distinguished name of the object: CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Exchange Servers |
Allow ACE |
All |
Read |
|
Microsoft Exchange Organization Container Permissions
The permissions tables in this section show the permissions set on the Microsoft Exchange Organization and sub-containers within the configuration partition.
Distinguished name of the object: CN=<organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>
Account(s) | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Enterprise Admins Root Domain Admins Installation Account Organization Management |
Deny ACE |
All |
Send As Receive As |
|
Windows administrators aren't allowed to open mailboxes. |
Enterprise Admins Schema Admins Root Domain Admins Installation Account Organization Management |
Deny ACE |
All |
Exchange Web Services Impersonation Exchange Web Services Token Serialization |
|
Extended right |
Enterprise Admins Schema Admins Root Domain Admins Installation Account Organization Management Exchange Servers |
Deny ACE |
All |
Store Transport Access Store Constrained Delegation Store Read Access Store Read Write Access |
|
|
Authenticated Users |
Deny ACE |
Desc |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Control Access |
|
|
Organization Management |
Allow ACE |
All |
Read Permissions List Contents Read Property List Object |
|
|
Public Folder Management |
Allow ACE |
All |
Read Permissions List Contents Read Property List Object |
|
|
NT Authority\Network Service |
Allow ACE |
All |
Read |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Create top level public folder |
|
|
Public Folder Management |
Allow ACE |
All |
Create top level public folder |
|
|
Organization Management |
Allow ACE |
All |
View information store status |
|
|
Public Folder Management |
Allow ACE |
All |
View information store status |
|
|
Organization Management |
Allow ACE |
All |
Administer information store |
|
|
Public Folder Management |
Allow ACE |
All |
Administer information store |
|
|
Organization Management |
Allow ACE |
All |
Create named properties in the information store |
|
|
Public Folder Management |
Allow ACE |
All |
Create named properties in the information store |
|
|
Organization Management |
Allow ACE |
All |
Modify public folder ACL |
|
|
Public Folder Management |
Allow ACE |
All |
Modify public folder ACL |
|
|
Organization Management |
Allow ACE |
All |
Modify public folder quotas |
|
|
Public Folder Management |
Allow ACE |
All |
Modify public folder quotas |
|
|
Organization Management |
Allow ACE |
All |
Modify public folder admin ACL |
|
|
Public Folder Management |
Allow ACE |
All |
Modify public folder admin ACL |
|
|
Organization Management |
Allow ACE |
All |
Modify public folder expiry |
|
|
Public Folder Management |
Allow ACE |
All |
Modify public folder expiry |
|
|
Organization Management |
Allow ACE |
All |
Modify public folder replica list |
|
|
Public Folder Management |
Allow ACE |
All |
Modify public folder replica list |
|
|
Organization Management |
Allow ACE |
All |
Modify public folder deleted item retention |
|
|
Public Folder Management |
Allow ACE |
All |
Modify public folder deleted item retention |
|
|
Organization Management |
Allow ACE |
All |
Create public folder |
|
|
Public Folder Management |
Allow ACE |
All |
Create public folder |
|
|
Everyone NT Authority\Anonymous Logon |
Allow ACE |
All |
Create named properties in the information store |
|
|
Everyone NT Authority\Anonymous Logon |
Allow ACE |
All |
Create public folder |
|
|
Everyone NT Authority\Anonymous Logon |
Allow ACE |
Desc |
Read Permissions List Contents Read Property List Object |
|
|
Everyone NT Authority\Anonymous Logon |
Allow ACE |
Desc |
Read Permissions List Contents Read Property List Object |
|
|
Exchange Servers |
Allow ACE |
Desc |
Read Permissions List Contents Read Property List Object |
|
|
Distinguished name of the object: CN=All Address Lists,CN=Address Lists Container,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Authenticated Users |
Allow ACE |
All |
List Contents |
|
Organization Management |
Allow ACE |
All |
Write Property |
|
Public Folder Management |
Allow ACE |
All |
Write Property |
|
Distinguished name of the object: CN=Offline Address Lists,CN=Address Lists Container, CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Authenticated Users |
Allow ACE |
All |
Download Offline Address Book |
|
Distinguished name of the object: CN=Addressing,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Authenticated users |
Allow ACE |
All |
Read |
|
Distinguished name of the object: CN=Recipient Policies,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Organization Management |
Allow ACE |
All |
Write Property |
|
Public Folder Management |
Allow ACE |
All |
Write Property |
|
Configuration Partition Container Permissions
The permissions tables in this section show the permissions set by the Setup /PrepareAD
command on various containers within the configuration partition.
Distinguished name of the object: CN=Sites,CN=Configuration,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Organization Management Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
Organization Management Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
Organization Management Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
Organization Management Exchange Trusted Subsystem |
Allow ACE |
|
Write Property |
|
Organization Management Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
Organization Management Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Permissions List Contents Read Property List Object |
|
Organization Management Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Permissions List Contents Read Property List Object |
|
Organization Management Exchange Trusted Subsystem |
Allow ACE |
Children |
Create Child Delete Child Delete Tree |
|
Organization Management Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Permissions List Contents Read Property List Object |
|
Organization Management Exchange Trusted Subsystem |
Allow ACE |
Children |
Create Child Delete Child Delete Tree |
|
Organization Management Exchange Trusted Subsystem |
Allow ACE |
Children |
Create Child Delete Child Delete Tree |
|
Distinguished name of the object: CN=Deleted Objects,CN=Configuration,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Servers |
Allow ACE |
All |
List Contents |
|
|
Organization Administration |
Allow ACE |
All |
Read Permission Write Permission List Contents Read Property List Object |
|
|
Installation Account |
Allow ACE |
All |
Read Permission Write Permission List Contents Read Property List Object |
|
This is the account that is used to run |
Exchange Trusted Subsystem |
Allow ACE |
All |
Read Permission List Contents Read Property List Object |
|
|
Exchange Administrative Group Permissions
The Setup /PrepareAD
command also configures the following permissions on the administrative groups within the organization.
Distinguished name of the object: CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Organization Management |
Allow ACE |
Desc |
Access Recipient Update Service |
|
Allows Exchange Recipient Administrators to stamp recipients with proxy address information. |
NT AUTHORITY\SYSTEM |
Allow ACE |
Desc |
Access Recipient Update Service |
|
Allows the servers to stamp recipients with proxy address information. |
Public Folder Management |
Allow ACE |
Desc |
Access Recipient Update Service |
|
Allows Exchange Public Folder Administrators to stamp recipients with proxy address information. |
Distinguished name of the object: CN=Advanced Security Settings,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Authenticated Users |
Allow ACE |
None |
List Contents |
|
Distinguished name of the object: CN=Encryption,CN=Advanced Security Settings,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Authenticated Users |
Allow ACE |
None |
Read Property |
|
Distinguished name of the object: CN=Arrays,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Authenticated Users |
Allow ACE |
None |
List Contents |
|
Distinguished name of the object: CN=Database Availability Groups,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Authenticated Users |
Allow ACE |
None |
List Contents |
|
Distinguished name of the object: CN=Databases,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Authenticated Users |
Allow ACE |
None |
List Contents |
|
Distinguished name of the object: CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Servers |
Deny ACE |
All |
Receive As |
|
Exchange Servers aren't allowed to open mailboxes. |
Authenticated Users |
Allow ACE |
None |
List Contents |
|
|
Microsoft Exchange Security Groups Container Permissions
The permissions tables in this section show the permissions set on the Microsoft Exchange Security Groups container within the root domain partition.
Distinguished name of the object: OU=Microsoft Exchange Security Groups,DC=<root domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Organization Management |
Allow ACE |
All |
Full Control |
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Create Child Delete Child |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Write Property |
|
Distinguished name of the object: CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=<root domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Organization Management |
Allow ACE |
All |
Full Control |
|
Distinguished name of the object: CN=ExchangeLegacyInterop,OU=Microsoft Exchange Security Groups,DC=<root domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Organization Management |
Allow ACE |
All |
Full Control |
|
Distinguished name of the object: CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=<root domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Organization Management |
Allow ACE |
All |
Full Control |
|
Root Domain Administrators |
Allow ACE |
All |
Read Members Write Members |
|
Child Domain Administrators |
Allow ACE |
All |
Read Members Write Members |
|
Prepare Domain
The following tables show the permissions set when you execute the Setup /PrepareDomain
command.
Distinguished name of the object: DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Authenticated Users |
Allow ACE |
All |
Read Property |
|
|
NT AUTHORITY\NETWORK |
Allow ACE |
All |
Read Property |
|
Grants Transport service read permissions. |
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Replication Synchronization |
|
Extended right |
Exchange Servers |
Allow ACE |
All |
Create Child Delete Chile List Children |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Read |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Full Control |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Read |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Full Control |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Write Property |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Delete Tree WriteDACL |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Delete Tree WriteDACL |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Write Property |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Create Child Delete Child |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Create Child Delete Child |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Create Child Delete Child |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Create Child Delete Child |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Create Child Delete Child |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Write Property |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Write Property |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Write Property |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Write Property |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Write Property |
|
|
Exchange Windows Permissions |
Allow ACE |
All |
Reset Password |
|
Extended right |
Exchange Windows Permissions |
Allow ACE |
All |
Change Password |
|
Extended right |
Distinguished name of the object: CN=AdminSDHolder,CN=System,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Read Property |
|
|
Exchange Servers |
Allow ACE |
All |
Replication Synchronization |
|
Extended right |
Exchange Servers |
Allow ACE |
All |
Create Child Delete Chile List Children |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Read |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Full Control |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Organization Management |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Read |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Full Control |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Write Property |
|
|
Distinguished name of the object: CN=Microsoft Exchange System Objects,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
NT AUTHORITY\NETWORK |
Allow ACE |
All |
Read Property |
|
Authenticated Users |
Allow ACE |
All |
Read Permissions |
|
Authenticated Users |
Allow ACE |
All |
Read Property |
|
Authenticated Users |
Allow ACE |
All |
Read Property |
|
Authenticated Users |
Allow ACE |
All |
Read Property |
|
Exchange Servers |
Deny ACE |
All |
Delete Tree |
|
Exchange Servers |
Allow ACE |
All |
Read Delete Tree |
|
Exchange Servers |
Allow ACE |
All |
Create Child Delete Child |
|
Exchange Servers |
Allow ACE |
All |
|
|
Exchange Servers |
Allow ACE |
Desc |
Write Property |
|
Exchange Servers |
Allow ACE |
Desc |
Write Property |
|
Organization Management |
Allow ACE |
All |
Read |
|
Organization Management |
Allow ACE |
Desc |
Write Property |
|
Organization Management |
Allow ACE |
All |
Create Child Delete Child |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Organization Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
All |
Read |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Public Folder Management |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
All |
Read |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Exchange Trusted Subsystem |
Allow ACE |
Desc |
Read Property Write Property |
|
Server Role Installation
During installation of the Client Access, Hub Transport, Unified Messaging, and Mailbox server roles, Setup adds the Organization Management USG to the administrator security group on the local computer so that members of the management role group named Organization Management can manage the server.
The following permissions table shows the permissions set when you install the Client Access, Hub Transport, Unified Messaging, or Mailbox server roles.
Distinguished name of the object: CN=<server>,CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
MACHINE$ |
Allow ACE |
All |
Read |
|
|
MACHINE$ |
Allow ACE |
None |
Write Property |
|
|
Exchange Servers |
Allow ACE |
All |
Store Transport Access Store Constrained Delegation Store Read Only Access Store Read and Write Access |
|
Extended rights |
NT AUTHORITY\NETWORK |
Allow ACE |
All |
Exchange Web Services Token Serialization |
|
Extended right Only granted on Client Access server role objects. |
NT AUTHORITY\NETWORK |
Allow ACE |
All |
Read |
|
Only granted on Hub Transport server role objects. |
Delegated Setup |
Allow ACE |
All |
Full Control |
|
|
Delegated Setup |
Allow ACE |
All |
Read |
|
|
Delegated Setup |
Deny ACE |
All |
Create Child Delete Child |
|
|
Authenticated Users |
Allow ACE |
All |
Read Property |
|
|
Delegated Setup |
Deny ACE |
All |
Receive As Send As |
|
Extended right |
Database Availability Groups
The permissions tables in this section show the permissions set with regards to the database availability groups and its members.
Distinguished name of the object: CN=<DAGName>,CN=Database Availability Groups,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Authenticated Users |
Allow ACE |
None |
Read Properties |
|
Distinguished name of the object: CN=<DAGName>,CN=Computers,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Mailbox Server Computer Account$ |
Allow ACE |
None |
Delete Read Permissions List Contents Read Property Delete Tree List Object |
|
Mailbox Server Computer Account$ |
Allow ACE |
None |
Write Property |
|
Mailbox Server Computer Account$ |
Allow ACE |
None |
Write Property |
|
Mailbox Server Computer Account$ |
Allow ACE |
None |
Write Property |
|
Mailbox Server Computer Account$ |
Allow ACE |
None |
Write Property |
|
Mailbox Server Computer Account$ |
Allow ACE |
None |
Write Property |
|
Mailbox Server Computer Account$ |
Allow ACE |
None |
Write Property |
|
Mailbox Server Computer Account$ |
Allow ACE |
None |
Write Property |
|
Edge Transport
If you install an Edge Transport server and establish an Edge Subscription with the Exchange organization, the permissions in the following permissions table are set when the Edge Transport server is instantiated into the organization.
Distinguished name of the object: CN=<server>,CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Authenticated Users |
Allow ACE |
None |
Read Properties |
|
ACE is defined in schema for |
Client Access Server Installation
During installation of the first Client Access server, the following container is created. The following permissions table shows the permissions that are applied.
Distinguished name of the object: CN=Availability Configuration,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Servers |
Allow ACE |
Desc |
Read Property |
|
Extended right |
Hub Transport Server Installation
During installation of each Hub transport server, the following permissions are set.
Distinguished name of the object: CN=Default <Server>,CN=SMTP Receive Connectors,CN=Protocols,CN=<Server>,CN=Servers,CN=<admin group>,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
ExchangeLegacyInterop |
Deny ACE |
All |
Accept Forest Headers |
|
|
ExchangeLegacyInterop |
Deny ACE |
All |
Accept Organization Headers |
|
|
Exchange Servers |
Allow ACE |
All |
Accept Any Sender |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Accept Any Sender |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept Any Sender |
|
This is the well-known security identifier (SID) for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept Any Sender |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Accept Any Sender |
|
This is the well-known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Accept EXCH50 |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Accept EXCH50 |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept EXCH50 |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept EXCH50 |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Accept EXCH50 |
|
This is the well-known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Submit Messages to any Recipient |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Submit Messages to any Recipient |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Submit Messages to any Recipient |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Submit Messages to any Recipient |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Submit Messages to any Recipient |
|
This is the well-known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Accept XShadow |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept XShadow |
|
This is the well-known SID for Edge Transport servers. |
Exchange Servers |
Allow ACE |
All |
Accept Routing Headers |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Accept Routing Headers |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept Routing Headers |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept Routing Headers |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Accept Routing Headers |
|
This is the well-known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Accept Forest Headers |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept Forest Headers |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept Forest Headers |
|
This is the well-known SID for Edge Transport servers. |
Exchange Servers |
Allow ACE |
All |
Accept Authentication Flag |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Accept Authentication Flag |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept Authentication Flag |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept Authentication Flag |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Accept Authentication Flag |
|
This is the well-known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Bypass Anti-Spam |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Bypass Anti-Spam |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Bypass Anti-Spam |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Bypass Anti-Spam |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Bypass Anti-Spam |
|
This is the well-known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Bypass Message Size Limit |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Bypass Message Size Limit |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Bypass Message Size Limit |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Bypass Message Size Limit |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Bypass Message Size Limit |
|
This is the well-known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Accept Organization Headers |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept Organization Headers |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept Organization Headers |
|
This is the well-known SID for Edge Transport servers. |
Exchange Servers |
Allow ACE |
All |
Submit Messages to Server |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Submit Messages to Server |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Submit Messages to Server |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Submit Messages to Server |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Submit Messages to Server |
|
This is the well-known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Accept Authoritative Domain Sender |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Accept Authoritative Domain Sender |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept Authoritative Domain Sender |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept Authoritative Domain Sender |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Accept Authoritative Domain Sender |
|
This is the well-known SID for externally secured servers. |
Authenticated Users |
Allow ACE |
All |
Submit Messages to any Recipient |
|
|
Authenticated Users |
Allow ACE |
All |
Accept Routing Headers |
|
|
Authenticated Users |
Allow ACE |
All |
Bypass Anti-Spam |
|
|
Authenticated Users |
Allow ACE |
All |
Submit Messages to Server |
|
|
Distinguished name of the object: CN=Client <Server>,CN=SMTP Receive Connectors,CN=Protocols,CN=<Server>,CN=Servers,CN=<admin group>,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to |
---|---|---|---|---|
Authenticated Users |
Allow ACE |
All |
Submit Messages to any Recipient |
|
Authenticated Users |
Allow ACE |
All |
Accept Routing Headers |
|
Authenticated Users |
Allow ACE |
All |
Bypass Anti-Spam |
|
Authenticated Users |
Allow ACE |
All |
Submit Messages to Server |
|
SMTP Send Connector Creation
The following table shows the permissions set when you create Send connectors.
Distinguished name of the object: CN=<Connector Name>,CN=Connections,CN=<routing group>,CN=Routing Groups, CN=<admin group>,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Send Organization Headers |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Send Organization Headers |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Send Forest Headers |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Send Forest Headers |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Send XShadow |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Send XShadow |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-10 |
Allow ACE |
All |
Send Routing Headers |
|
This is the well-known SID for partner servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Send Routing Headers |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Send Routing Headers |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Send Routing Headers |
|
This is the well-known SID for externally secured servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-24 |
Allow ACE |
All |
Send Routing Headers |
|
This is the well-known SID for Legacy Exchange servers. |
NT AUTHORITY\ANONYMOUS LOGON |
Allow ACE |
All |
Send Routing Headers |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Send Exch50 |
|
This is the well-known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Send Exch50 |
|
This is the well-known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Send Exch50 |
|
This is the well-known SID for externally secured servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-24 |
Allow ACE |
All |
Send Exch50 |
|
This is the well-known SID for Legacy Exchange servers. |