שתף באמצעות


Exchange 2007 Server Setup Permissions Reference

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic describes the permissions that are required to set up a Microsoft Exchange Server 2007 organization.

In some cases, the access control list (ACL) is not applied on the usual property, ntSecurityDescriptor, but on anther property, such as msExchMailboxSecurityDescriptor. The directory service cannot enforce security that is not specified in the Microsoft Windows security descriptor. In most cases, these ACLs are replicated to store ACLs on appropriate objects by the store service. Unfortunately, there is no tool to view these ACLs as anything other than raw binary data.

The columns of each permissions table include the following information:

  • Account   The security principal granted or denied the permissions.

  • ACE type   Access control entry (ACE) type

    • Allow ACE

    • Deny ACE

  • Inheritance   The type of inheritance used for child objects.

    • All indicates that the permissions apply to the object and all sub-objects.

    • Desc indicates the permissions apply to the object class listed in the On Property/Applies Torow.

    • None indicates those permissions only apply the object.

  • Permissions   The permissions granted to the account.

  • On Property/Applies To   In some cases, permissions apply only to a given property, property set, or object class. These limited permissions are specified here.

    • Names in italic indicate the attribute or attributes to which a Read Property or Write Property applies.

    • Names in plain text indicate the object class or classes to which an ACE is inherited.

    • Names in bold indicate the class name to which Create Child or Delete Child permissions apply.

  • Comments   When applicable, this column explains why the permissions are required or provides other information about the permissions.

The permissions are generally listed in the table by the names that are used on the Active Directory Service Interfaces (ADSI) Edit (AdsiEdit.msc) Security property page in the Advanced view on the View/Edit tab. The ADSI Edit Security property page lists a much more condensed view of the permissions. The LDP tool (Ldp.exe) displays the access mask directly as a numeric value. The setup code refers to the permissions by predefined constants.

The following table shows the relationships between these values.

ADSI Edit Summary page ADSI Edit Advanced view, View/Edit tab ACL entries applied to a given object Binary value (access mask in LDP)

Full Control

Full Control

WRITE_OWNER | WRITE_DAC | READ_CONTROL | DELETE | ACTRL_DS_CONTROL_ACCESS | ACTRL_DS_LIST_OBJECT | ACTRL_DS_DELETE_TREE | ACTRL_DS_WRITE_PROP | ACTRL_DS_READ_PROP | ACTRL_DS_SELF | ACTRL_DS_LIST | ACTRL_DS_DELETE_CHILD | ACTRL_DS_CREATE_CHILD

0x000F01FF

Read

List Contents + List Object + Read All Properties + Read Permissions

ACTRL_DS_LIST | ACTRL_DS_READ_PROP | READ_CONTROL

0x00020014

Write

Write All Properties + All Validated Writes

ACTRL_DS_WRITE_PROP | ACTRL_DS_SELF

0x00000028

 

List Contents

ACTRL_DS_LIST

0x00000004

 

Read All Properties

ACTRL_DS_READ_PROP

0x00000010

 

Write All Properties

ACTRL_DS_WRITE_PROP

0x00000020

 

Delete

DELETE

0x00010000

 

Delete Subtree

ACTRL_DS_DELETE_TREE

0x00000040

 

Read Permissions

READ_CONTROL

0x00020000

 

Modify Permissions

WRITE_DAC

0x00040000

 

Modify Owner

WRITE_OWNER

0x00080000

 

All Validated Writes

ACTRL_DS_SELF

0x00000008

 

All Extended Rights

ACTRL_DS_CONTROL_ACCESS

0x00000100

Create All Child Objects

Create All Child Objects

ACTRL_DS_CREATE_CHILD

0x00000001

Delete All Child Objects

Delete All Child Objects

ACTRL_DS_DELETE_CHILD

0x00000002

 

 

ACTRL_DS_LIST_OBJECT

0x00000080

Extended rights are custom rights specified by individual applications. They are specified in the ACL. However, they are meaningless to the Active Directory directory service. The particular application enforces any extended rights. Examples of Exchange extended rights are "Create public folder" or "Create named properties in the information store."

Note

For information about permissions that are set during a Microsoft Exchange Server 2003 installation, see Working with Active Directory Permissions in Exchange Server 2003.

Prepare Legacy Exchange Permissions

The permissions tables in this section show what permissions are set when you execute the setup /PrepareLegacyExchangePermissions command.

Distinguished name of the object: DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Enterprise Servers

Allow ACE

All

Write Property

Exchange Information

 

Authenticated Users

Allow ACE

All

Read Property

Exchange Information

 

Distinguished name of the object: CN=AdminSDHolder,CN=System,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Enterprise Servers

Allow ACE

All

Read Property

Write Property

Exchange Information

 

Distinguished name of the object: CN=<organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Domain Servers

Allow ACE

All

Write Property

Exchange Information

 

Prepare Active Directory Permissions

The permissions tables in this section show the permissions that are set when you execute the Setup /PrepareAD command.

Microsoft Exchange Container Permissions

The following table shows the permissions that are set on the Microsoft Exchange container within the configuration partition.

Distinguished name of the object: CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Installation Account

Allow ACE

All

Full Control

 

This is the account that is used to run /PrepareAD

Exchange Servers

Allow ACE

All

Read

 

 

Authenticated Users

Allow ACE

None

Read Property

List Contents

 

 

Exchange Organization Administrators

Allow ACE

All

Full Control

 

 

Microsoft Exchange Organization Container Permissions

The permissions tables in this section show the permissions that are set on the Microsoft Exchange Organization and sub-containers within the configuration partition.

Distinguished name of the object: CN=<organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Enterprise Administrator

Root Domain Administrator

Installation Account

Deny ACE

All

Send As

Receive As

 

Windows administrators are not allowed to open mailboxes.

Enterprise Administrator

Root Domain Administrator

Installation Account

Deny ACE

All

Store Transport Access

Store Constrained Delegation

Store Read Access

Store Read Write Access

Exchange Web Services Impersonation

Exchange Web Services Token Serialization

 

Extended right

Exchange Servers

Deny ACE

All

Store Transport Access

Store Constrained Delegation

Store Read Only Access

Store Read and Write Access

 

Extended right

Authenticated Users

Deny ACE

Desc

Read Property

msExchAvailabilityUserPassword / msExchAvailabilityAddressSpace

 

Authenticated Users

Allow ACE

None

Read Property

List Object

 

 

Everyone and Anonymous

Allow ACE

All

Create Public Folder

 

Extended right

Everyone and Anonymous

Allow ACE

All

Create named properties in the information store

 

Extended right

Everyone and Anonymous

Allow ACE

All

Read

msExchPrivateMDB

 

Everyone and Anonymous

Allow ACE

All

Read

msExchPublicMDB

 

Exchange Servers

Allow ACE

All

All Extended rights

 

 

Exchange Servers

Allow ACE

All

Write Property

groupT

 

Exchange Servers

Allow ACE

All

Write Property

msExchMailboxSecurityDescriptor

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMServerWritableFlags

 

Exchange Servers

Allow ACE

All

Write Property

msExchDatabaseCreated

 

Exchange Servers

Allow ACE

All

Write Property

Public Information

 

Exchange Servers

Allow ACE

All

Write Property

msExchUserCulture

 

Exchange Servers

Allow ACE

All

Write Property

siteFolderGUID

 

Exchange Servers

Allow ACE

All

Write Property

msExchMobileMailboxFlags

 

Exchange Servers

Allow ACE

All

Write Property

siteFolderServer

 

Exchange Servers

Allow ACE

All

Write Property

msExchEDBOffline

 

Exchange Servers

Allow ACE

All

Write Property

userCertificate

 

Exchange Servers

Allow ACE

All

Write Property

Exchange Personal Information

 

Exchange Servers

Allow ACE

All

Write Property

Exchange Information

 

Exchange Servers

Allow ACE

All

Write Property

msExchPatchMDB

 

Exchange Servers

Allow ACE

All

Write Property

publicDelegates

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMSpokenName

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMPinChecksum

 

Exchange Servers

Allow ACE

Desc

Read

siteAddressing

 

Schema Administrators

Deny ACE

All

Exchange Web Services Impersonation

Exchange Web Services Token Serialization

 

Extended right

Exchange Organization Administrators

Deny ACE

All

Send As

Receive As

 

Exchange administrators are not allowed to open mailboxes.

Exchange Organization Administrators

Deny ACE

All

Exchange Web Services Impersonation

Exchange Web Services Token Serialization

 

Extended right

Exchange View-Only Administrators

Allow ACE

All

View information store status

 

Extended right

Exchange Public Folder Administrators

Allow ACE

All

Read

 

 

Exchange Public Folder Administrators

Allow ACE

All

Create top level public folder

 

Extended Right

Exchange Public Folder Administrators

Allow ACE

All

View information store status

 

Extended Right

Exchange Public Folder Administrators

Allow ACE

All

Administer information store

 

Extended Right

Exchange Public Folder Administrators

Allow ACE

All

Create named properties in the information store

 

Extended Right

Exchange Public Folder Administrators

Allow ACE

All

Modify public folder ACL

 

Extended Right

Exchange Public Folder Administrators

Allow ACE

All

Modify public folder quotas

 

Extended Right

Exchange Public Folder Administrators

Allow ACE

All

Modify public folder admin ACL

 

Extended Right

Exchange Public Folder Administrators

Allow ACE

All

Modify public folder expiry

 

Extended Right

Exchange Public Folder Administrators

Allow ACE

All

Modify public folder replica list

 

Extended Right

Exchange Public Folder Administrators

Allow ACE

All

Modify public folder deleted item retention period

 

Extended Right

Exchange Public Folder Administrators

Allow ACE

All

Create public folder

 

Extended Right

Distinguished name of the object: CN=Address Lists Container,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

All

List Contents

 

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

msExchLastAppliedRecipientFilter

msExchRecipientFilterFlags

 

Exchange Public Folder Administrators

Allow ACE

All

Write Property

msExchLastAppliedRecipientFilter

msExchRecipientFilterFlags

Distinguished name of the object: CN=Offline Address Lists,CN=Address Lists Container, CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

All

Download Offline Address Book

 

 

Distinguished name of the object: CN=Recipient Update Services,CN=Address Lists Container, CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Servers

Allow ACE

All

Full Control

 

 

Distinguished name of the object: CN=Addressing,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated users

Allow ACE

All

Read

 

 

Distinguished name of the object: CN=Recipient Policies,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Recipient Administrators

Allow ACE

All

Write Property

msExchLastAppliedRecipientFilter

msExchRecipientFilterFlags

 

Exchange Public Folder Administrators

Allow ACE

All

Write Property

msExchLastAppliedRecipientFilter

msExchRecipientFilterFlags

Distinguished name of the object: CN=Message Classifications,CN=Transport Settings, CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

All

List Contents

 

 

Distinguished name of the object: CN=ExACPrivileged,CN=<language>,CN=Message Classifications,CN=Transport Settings, CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

All

Read

 

 

Distinguished name of the object: CN=ExCompanyConfidential,CN=<language>,CN=Message Classifications,CN=Transport Settings, CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

All

Read

 

 

Distinguished name of the object: CN=ExCompanyInternal,CN=<language>,CN=Message Classifications,CN=Transport Settings, CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

All

Read

 

 

Configuration Partition Container Permissions

The permissions tables in this section show the permissions that are set by the Setup /PrepareAD command on various containers within the configuration partition.

Distinguished name of the object: CN=Sites,CN=Configuration,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Organization Administrators

Allow ACE

All

Write Property

msExchTransportSiteFlags / site

 

Exchange Organization Administrators

Allow ACE

All

Write Property

msExchCost / siteLink

 

Distinguished name of the object: CN=Deleted Objects,CN=Configuration,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Servers

Allow ACE

All

List Contents

 

 

Exchange Organization Administrators

Allow ACE

All

Read

Write Permission

 

 

Exchange Administrative Group Permissions

The Setup /PrepareAD command also configures the following permissions on the administrative groups within the organization.

Distinguished name of the object: CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Recipient Administrators

Allow ACE

Desc

Access Recipient Update Service

msExchExchangeServer

Allows Exchange Recipient Administrators to stamp recipients with proxy address information.

SYSTEM

Allow ACE

Desc

Access Recipient Update Service

msExchExchangeServer

Allows the servers to stamp recipients with proxy address information.

Exchange Public Folder Administrators

Allow ACE

Desc

Access Recipient Update Service

msExchExchangeServer

Allows Exchange Public Folder Administrators to stamp recipients with proxy address information.

Distinguished name of the object: CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Servers

Deny ACE

All

Receive As

 

Exchange Servers are not allowed to open mailboxes.

Authenticated Users

Allow ACE

None

List Contents

 

 

Distinguished name of the object: CN=Advanced Security Settings,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

None

List Contents

 

 

Distinguished name of the object: CN=Encryption,CN=Advanced Security Settings,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

None

Read Property

 

 

Microsoft Exchange Security Groups Container Permissions

The permissions tables in this section show the permissions that are set on the Microsoft Exchange Security Groups container within the root domain partition.

Distinguished name of the object: OU=Microsoft Exchange Security Groups,DC=<root domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Trusted Subsystem

Allow ACE

All

Full Control

 

The Exchange 2007 SP2 Setup program creates this group and adds it to the local Administrators group. Exchange Trusted Subsystem is a highly privileged, universal security group that has read and write access to every Exchange-related object in the organization. For more information, see How to Install the Latest Service Pack or Update Rollup for Exchange 2007.

Exchange Organization Administrators

Allow ACE

All

Full Control

 

 

Distinguished name of the object: CN=Exchange Organization Administrators,OU=Microsoft Exchange Security Groups,DC=<root domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Organization Administrators

Allow ACE

All

Full Control

 

 

Distinguished name of the object: CN=Exchange Recipient Administrators,OU=Microsoft Exchange Security Groups,DC=<root domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Organization Administrators

Allow ACE

All

Full Control

 

 

Distinguished name of the object: CN=Exchange View-Only Administrators,OU=Microsoft Exchange Security Groups,DC=<root domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Organization Administrators

Allow ACE

All

Full Control

 

 

Distinguished name of the object: CN=ExchangeLegacyInterop,OU=Microsoft Exchange Security Groups,DC=<root domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Organization Administrators

Allow ACE

All

Full Control

 

 

Distinguished name of the object: CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=<root domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Organization Administrators

Allow ACE

All

Full Control

 

 

Root Domain Administrators

Allow ACE

All

Read Members

Write Members

 

 

Child Domain Administrators

Allow ACE

All

Read Members

Write Members

 

 

Prepare Domain

The following tables show the permissions that are set when you run the Setup /PrepareDomain command.

Distinguished name of the object: DC=<domain> and CN=AdminSDHolder,CN=System,CN=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

All

Read Property

Exchange Information

 

Exchange Servers

Allow ACE

All

Read Property

Exchange Personal Information

 

Exchange Servers

Allow ACE

All

Read Property

Exchange Information

 

Exchange Servers

Allow ACE

All

Write Property

groupType

 

Exchange Servers

Allow ACE

All

Write Property

publicDelegates

 

Exchange Servers

Allow ACE

All

Write Property

userCertificate

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMPinChecksum

 

Exchange Servers

Allow ACE

All

Write Property

msExchMobileMailboxFlags

 

Exchange Servers

Allow ACE

All

Write Property

msExchMailboxSecurityDescriptor

 

Exchange Servers

Allow ACE

All

Write Property

msExchUserCulture

 

Exchange Servers

Allow ACE

All

Write Property

msExchUMServerWriteableFlags

 

Exchange Servers

Allow ACE

All

Read Property

garbageCollPeriod

 

Exchange Servers

Allow ACE

All

Read Property

userAccountControl

 

Exchange Servers

Allow ACE

All

Read Property

canonicalName

 

Exchange Servers

Allow ACE

All

Read Property

memberOf

 

Exchange Servers

Allow ACE

Desc

Modify Permissions

group

This permission was removed in Microsoft Exchange Server 2007 SP1 Setup /PrepareDomain. If you have already installed Microsoft Exchange Server 2007, you will have this right even after Exchange 2007 SP1 deployment. 

Exchange Servers

Allow ACE

All

Change Password

 

Extended right

Exchange Recipient Administrators

Allow ACE

All

Read

 

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

Exchange Information

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

Exchange Personal Information

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

legacyExchangeDN

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

displayName

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

adminDisplayName

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

displayNamePrintable

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

publicDelegates

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

garbageCollPeriod

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

textEncodedORAddress

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

showInAddressBook

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

proxyAddresses

 

Exchange Recipient Administrators

Allow ACE

All

Write Property

mail

 

Exchange Recipient Administrators

Allow ACE

All

Create Child

Delete Child

msExchDynamicDistributionList

 

Exchange Recipient Administrators

Allow ACE

Desc

Full Control

msExchDynamicDistributionList

 

Distinguished name of the object: CN=Microsoft Exchange System Objects,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Servers

Allow ACE

All

Read

Delete Tree

 

 

Exchange Servers

Deny ACE

All

Delete Tree

 

Exchange 2003 RUS will remove Read ACEs from the Microsoft Exchange System Objects (MESO) container

Exchange Servers

Allow ACE

All

Create Child

Delete Child

publicFolder

 

Exchange Servers

Allow ACE

Desc

Write Property

publicFolder

 

Exchange Servers

Allow ACE

All

Create Child

msExchSystemMailbox

 

Exchange Servers

Allow ACE

Desc

Write Property

msExchSystemMailbox

 

Exchange Organization Administrators

Allow ACE

All

Delete Child

msExchSystemMailbox

 

Authenticated Users

Allow ACE

All

Read Permissions

 

 

Authenticated Users

Allow ACE

All

Read

 

 

Authenticated Users

Allow ACE

All

Read Property

garbageCollPeriod

adminDisplayName

modifyTimeStamp

 

Exchange Public Folder Administrators

Allow ACE

All

Read Property

Write Property

Exchange-Information / publicFolder

Exchange-Personal-Information / publicFolder

legacyExchangeDN / publicFolder

displayName / publicFolder

displayNamePrintable / publicFolder

publicDelegates / publicFolder

garbageCollPeriod / publicFolder

textEncodedORAddress / publicFolder

showInAddressBook / publicFolder

proxyAddresses / publicFolder

mail / publicFolder

pFContacts / publicFolder

msDS-PhoneticDisplayName / publicFolder

cn / publicFolder

name / publicFolder

Allows Exchange Public Folder Administrator role to manage mail-related properties of mail-enabled public folder proxy objects.

Exchange Public Folder Administrators

Allow ACE

All

Read Property

Server Installation

During installation of the Hub Transport, Unified Messaging, Mailbox, and Client Access server roles, Setup adds the Exchange Organization Administrators security group to the administrator security group on the local computer so that members of the Administrator role group named Exchange Organization Administrators can manage the server.

The following permissions table shows the permissions that are set when you install the Hub Transport, Unified Messaging, Mailbox, or Client Access server roles on a nonclustered computer.

Distinguished name of the object: CN=<server>,CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

MACHINE$

Allow ACE

All

Read

 

  

MACHINE$

Allow ACE

None

Write Property

msExchServerSite

msExchEdgeSyncCredential

 

Exchange Servers

Allow ACE

All

Store Transport Access

Store Constrained Delegation

Store Read Only Access

Store Read and Write Access

 

Extended right

Authenticated Users

Allow ACE

None

Read Properties

 

ACE is defined in schema for msExchExchangeServer class objects defaultSecurityDescriptor

Clustered Mailbox Server Installation

If you install a clustered mailbox server, the permissions that are listed in the following permissions table are set instead.

Distinguished name of the object: CN=<server>,CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

CLUSTEREDNODE$

Allow ACE

All

Read

 

The first nodes installed have this permission.

CLUSTEREDNODE$

Allow ACE

All

Full Control

 

All nodes installed later in the Exchange cluster have this permission.

CLUSTEREDNODE$

Allow ACE

None

Write Property

msExchServerSite

msExchEdgeSyncCredential

 

Exchange Servers

Allow ACE

All

Store Transport Access

Store Constrained Delegation

Store Read Only Access

Store Read and Write Access

 

Extended right

Authenticated Users

Allow ACE

None

Read Properties

 

ACE is defined in schema for msExchExchangeServer class objects defaultSecurityDescriptor

Clustered Mailbox Server Computer Account

If you install a clustered mailbox server, the permissions in the following permissions table are set on the clustered mailbox server computer account within the domain partition.

Distinguished name of the object: CN=<server>,CN=Computers,DC=<domain> or CN=<server>,OU=<organizational unit>,DC=<domain>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Cluster Service Account

Allow ACE

None

Read

Control Access

 

 

Cluster Service Account

Allow ACE

None

Write Property

Logon Information

 

Cluster Service Account

Allow ACE

None

Write Property

Description

 

Cluster Service Account

Allow ACE

None

Write Property

sAMAccountName

 

Cluster Service Account

Allow ACE

None

Write Property

Account Restrictions

 

Cluster Service Account

Allow ACE

None

Validated write to DNS host name

 

 

Cluster Service Account

Allow ACE

None

Validated write to service principal name

 

 

Edge Transport

If you install an Edge Transport server and establish an Edge Subscription with the Exchange organization, the permissions in the following permissions table are set when the Edge Transport server is instantiated into the organization.

Distinguished name of the object: CN=<server>,CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Servers

Allow ACE

All

Write Property

 

 

Authenticated Users

Allow ACE

None

Read Properties

 

ACE is defined in schema for msExchExchangeServer class objects defaultSecurityDescriptor

Client Access Server Installation

During installation of the first Client Access server, the following container is created. The following permissions table shows the permissions that are applied.

Distinguished name of the object: CN=Availability Configuration,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Servers

Allow ACE

Desc

Read Property

msExchAvailabilityUserPassword / msExchAvailabilityAddressSpaceObjects

Extended right

Hub Transport Server Installation

During installation of each Hub transport server, the following permissions are set.

Distinguished name of the object: CN=Default <Server>,CN=SMTP Receive Connectors,CN=Protocols,CN=<Server>,CN=Servers,CN=<admin group>,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

ExchangeLegacyInterop

Deny ACE

All

Accept Forest Headers

 

 

ExchangeLegacyInterop

Deny ACE

All

Accept Organization Headers

 

 

Exchange Servers

Allow ACE

All

Accept Any Sender

 

 

ExchangeLegacyInterop

Allow ACE

All

Accept Any Sender

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Any Sender

 

This is the well known security identifier (SID) for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Any Sender

 

This is the well known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Any Sender

 

This is the well known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept EXCH50

 

 

ExchangeLegacyInterop

Allow ACE

All

Accept EXCH50

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept EXCH50

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept EXCH50

 

This is the well known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept EXCH50

 

This is the well known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Submit Messages to any Recipient

 

 

ExchangeLegacyInterop

Allow ACE

All

Submit Messages to any Recipient

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Submit Messages to any Recipient

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Submit Messages to any Recipient

 

This is the well known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Submit Messages to any Recipient

  

This is the well known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept Routing Headers

 

 

ExchangeLegacyInterop

Allow ACE

All

Accept Routing Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Routing Headers

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Routing Headers

 

This is the well known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Routing Headers

 

This is the well known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept Forest Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Forest Headers

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Forest Headers

  

This is the well known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Accept Authentication Flag

 

 

ExchangeLegacyInterop

Allow ACE

All

Accept Authentication Flag

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Authentication Flag

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Authentication Flag

 

This is the well known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Authentication Flag

 

This is the well known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Bypass Anti-Spam

 

 

ExchangeLegacyInterop

Allow ACE

All

Bypass Anti-Spam

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Bypass Anti-Spam

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Bypass Anti-Spam

 

This is the well known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Bypass Anti-Spam

 

This is the well known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Bypass Message Size Limit

 

 

ExchangeLegacyInterop

Allow ACE

All

Bypass Message Size Limit

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Bypass Message Size Limit

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Bypass Message Size Limit

 

This is the well known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Bypass Message Size Limit

 

This is the well known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept Organization Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Organization Headers

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Organization Headers

This is the well known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Submit Messages to Server

 

 

ExchangeLegacyInterop

Allow ACE

All

Submit Messages to Server

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Submit Messages to Server

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Submit Messages to Server

 

This is the well known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Submit Messages to Server

 

This is the well known SID for externally secured servers.

Exchange Servers

Allow ACE

All

Accept Authoritative Domain Sender

 

 

ExchangeLegacyInterop

Allow ACE

All

Accept Authoritative Domain Sender

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Accept Authoritative Domain Sender

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Accept Authoritative Domain Sender

 

This is the well known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Accept Authoritative Domain Sender

 

This is the well known SID for externally secured servers.

Authenticated Users

Allow ACE

All

Submit Messages to any Recipient

 

 

Authenticated Users

Allow ACE

All

Accept Routing Headers

 

 

Authenticated Users

Allow ACE

All

Bypass Anti-Spam

 

 

Authenticated Users

Allow ACE

All

Submit Messages to Server

 

 

Distinguished name of the object: CN=Client <Server>,CN=SMTP Receive Connectors,CN=Protocols,CN=<Server>,CN=Servers,CN=<admin group>,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Authenticated Users

Allow ACE

All

Submit Messages to any Recipient

 

 

Authenticated Users

Allow ACE

All

Accept Routing Headers

 

 

Authenticated Users

Allow ACE

All

Bypass Anti-Spam

 

 

Authenticated Users

Allow ACE

All

Submit Messages to Server

 

 

SMTP Send Connector Creation

The following table shows the permissions that are set when you create Send connectors.

Distinguished name of the object: CN=<Connector Name>,CN=Connections,CN=<routing group>,CN=Routing Groups, CN=<admin group>,CN=<organization>

Account ACE type Inheritance Permissions On property/ Applies to Comments

Exchange Servers

Allow ACE

All

Send Organization Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send Organization Headers

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send Organization Headers

 

This is the well known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Send Forest Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send Forest Headers

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send Forest Headers

 

This is the well known SID for Edge Transport servers.

Exchange Servers

Allow ACE

All

Send Routing Headers

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-10

Allow ACE

All

Send Routing Headers

 

This is the well known SID for partner servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send Routing Headers

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send Routing Headers

 

This is the well known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Send Routing Headers

 

This is the well known SID for externally secured servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-24

Allow ACE

All

Send Routing Headers

 

This is the well known SID for Legacy Exchange servers.

ANONYMOUS LOGON

Allow ACE

All

Send Routing Headers

 

 

Exchange Servers

Allow ACE

All

Send Exch50

 

 

S-1-9-1419165041-1139599005-3936102811-1022490595-21

Allow ACE

All

Send Exch50

 

This is the well known SID for Hub Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-22

Allow ACE

All

Send Exch50

 

This is the well known SID for Edge Transport servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-23

Allow ACE

All

Send Exch50

 

This is the well known SID for externally secured servers.

S-1-9-1419165041-1139599005-3936102811-1022490595-24

Allow ACE

All

Send Exch50

 

This is the well known SID for Legacy Exchange servers.