Permissions Granted During Exchange Setup
Each permissions table begins with the distinguished name of the object it applies to. Then, the table lists when the right is applied: for example, during the ForestPrep phase while installing a server.
In some cases, the access control list (ACL) is not applied on the usual property (ntSecurityDescriptor), but on some other property—for example, "msExchMailboxSecurityDescriptor". The directory service cannot enforce security that is not specified in the Microsoft® Windows® NT security descriptor; in most cases, these ACLs will be replicated to store ACLs on appropriate objects by the store service. There is, unfortunately, no tool for viewing these ACLs as anything other than raw binary data.
The columns of a permissions table are as follows:
Account The security principal granted or denied the permissions.
A Checked if this is an allow access control entry (ACE).
D Checked if this is a deny ACE. Allow and Deny are mutually exclusive.
I Checked if this ACE inherits to child objects.
Right Checked if this ACE inherits to child objects.
On Property/Applies To In some cases, the permission applies only to a given property, property set, or object class. If so, that is specified here.
Comments The reason this permission is required, or other information about the permission.
The permissions that are removed by Microsoft Exchange Server 2003 Setup are indicated by a double strike-through font (for example, double strike-through). These are permissions that were set in Exchange 2000 Server, but they have since been deprecated from the security model.
The permissions are generally listed in the table by the names used on the ADSIEdit Security property page, in the Advanced view, on the View/Edit tab. The ADSIEdit Security property page lists a much more condensed view of the rights. The LDP tool (Ldp.exe) displays the access mask directly, as a numerical value. The setup code refers to the rights by predefined constants.
The following table summarizes the relationships between these values.
Relationships between values
ADSIEdit Summary page | ADSIEdit Advanced page, View/Edit tab | #define | Binary value ("Mask" in LDP) |
---|---|---|---|
Full Control |
Full Control |
WRITE_OWNER | WRITE_DAC | READ_CONTROL | DELETE | ACTRL_DS_CONTROL_ACCESS | ACTRL_DS_LIST_OBJECT | ACTRL_DS_DELETE_TREE | ACTRL_DS_WRITE_PROP | ACTRL_DS_READ_PROP | ACTRL_DS_SELF | ACTRL_DS_LIST | ACTRL_DS_DELETE_CHILD | ACTRL_DS_CREATE_CHILD |
0x000F01FF |
Read |
List Contents + Read All Properties + Read Permissions |
ACTRL_DS_LIST | ACTRL_DS_READ_PROP | READ_CONTROL |
0x00020014 |
Write |
Write All Properties + All Validated Writes |
ACTRL_DS_WRITE_PROP | ACTRL_DS_SELF |
0x00000028 |
List Contents |
ACTRL_DS_LIST |
0x00000004 |
|
Read All Properties |
ACTRL_DS_READ_PROP |
0x00000010 |
|
Write All Properties |
ACTRL_DS_WRITE_PROP |
0x00000020 |
|
Delete |
DELETE |
0x00010000 |
|
Delete Subtree |
ACTRL_DS_DELETE_TREE |
0x00000040 |
|
Read Permissions |
READ_CONTROL |
0x00020000 |
|
Modify Permissions |
WRITE_DAC |
0x00040000 |
|
Modify Owner |
WRITE_OWNER |
0x00080000 |
|
All Validated Writes |
ACTRL_DS_SELF |
0x00000008 |
|
All Extended Rights |
ACTRL_DS_CONTROL_ACCESS |
0x00000100 |
|
Create All Child Objects |
Create All Child Objects |
ACTRL_DS_CREATE_CHILD |
0x00000001 |
Delete All Child Objects |
Delete All Child Objects |
ACTRL_DS_DELETE_CHILD |
0x00000002 |
ACTRL_DS_LIST_OBJECT |
0x00000080 |
Extended rights are custom rights specified by individual applications. They are specified in the ACL, but they are meaningless to the directory service; the particular application enforces any extended rights. Examples of Exchange extended rights are "Create public folder" or "Create named properties in the information store."