Permissions on Objects in the Exchange Configuration Tree | Secure Messaging with Microsoft Exchange Server 2000

Permissions listed in this section are applied to objects contained in the Exchange configuration container or its children. The configuration container’s AD path is cn=Microsoft Exchange, cn=Services, cn=Configuration, dc=domain.

Table B-1: Permissions granted to objects in the Microsoft Exchange container
Account	Allow	Deny	Inherit	Right	On Property
During ForestPrep phase
Authenticated Users				ACTRL_DS_LIST \| ACTRL_DS_READ_PROP
Designated admin account				DS_AM_FULL_CONTROL
During server install
Exchange Domain Servers				STANDARD_RIGHTS_READ \| ACTRL_DS_READ_PROP \| ACTRL_DS_LIST
During ADC setup
Exchange Services				DS_AM_FULL_CONTROL

Table B-2: Permissions granted on the ADC Connection Agreement container
Account	Allow	Deny	Inherit	Right	On Property
During server install
Exchange Domain Servers				DS_AM_FULL_CONTROL

Table B-3: Permissions granted on the Organization container
Account	Right	On Property/ Applies To
During ForestPrep phase
Authenticated Users	ACTRL_DS_LIST_OBJECT \| ACTRL_DS_READ_PROP
Designated admin account	Send-As
Designated admin account	Receive-As
During server install
“Enterprise Admins”	Send-As
“Enterprise Admins”	Receive-As
“Domain Admins” of root domain	Send-As
“Domain Admins” of root domain	Receive-As
Everyone	ms-Exch-Create-Top-Level- Public-Folder
Everyone	ms-Exch-Create-Public- Folder
Everyone	ms-Exch-Store-Create- Named-Properties
Everyone	STANDARD_RIGHTS_READ \| ACTRL_DS_READ_PROP \| ACTRL_DS_LIST \| ACTRL_LIST_OBJECT	Applies to object class: msExchPrivateMDB
Everyone	STANDARD_RIGHTS_READ \| ACTRL_DS_READ_PROP \| ACTRL_DS_LIST \| ACTRL_LIST_OBJECT	Applies to object class: msExchPublicMDB
Everyone	STANDARD_RIGHTS_READ \| ACTRL_DS_READ_PROP \| ACTRL_DS_LIST \| ACTRL_LIST_OBJECT	Applies to object class: mTA
Exchange Domain Servers	DS_AM_CONTROL_ACCESS (i.e., all extended rights)
Exchange Domain Servers	ACTRL_DS_CREATE_CHILD
Exchange Domain Servers	ACTRL_DS_WRITE_PROP	Public- Information (property set)
Exchange Domain Servers	ACTRL_DS_WRITE_PROP	Personal- Information (property set)
Exchange Domain Servers	DS_AM_FULL_CONTROL	Applies to object class: siteAddressing
When enabling an SRS (ACE is removed when SRS is disabled)
MACHINE$	ACTRL_DS_LIST_OBJECT \| ACTRL_DS_CREATE_CHILD\| ACTRL_DS_DELETE_CHILD

Table B-4: Permissions granted on the Address Lists container
Account	Allow	Deny	Inherit	Right	On Property
During server install
Authenticated Users				ACTRL_DS_LIST

Table B-5: Permissions granted on the Addressing container
Account	Allow	Deny	Inherit	Right	On Property
During server install
Authenticated Users				STANDARD_RIGHTS_READ \| ACTRL_DS_READ_PROP \| ACTRL_DS_LIST

Table B-6: Permissions set on the Recipient Update Services container
Account	Allow	Deny	Inherit	Right	On Property
During server install
Exchange Domain Servers				DS_AM_FULL_CONTROL

Table B-7: Permissions set on individual administrative groups within the Administrative Groups container
Account	Allow	Deny	Inherit	Right	On Property
During server install (set on attribute msExchPFDefaultAdminACL)
Authenticated Users				Ms-Exch-Create-Public- Folder

Table B-8: Permissions set on the default top-level public folder hierarchy
Account	Allow	Deny	Inherit	Right	On Property
During server install (set on attribute msExchPFDefaultAdminACL)
Authenticated Users				Ms-Exch-Create-Public-Folder

Table B-9: Permissions set on the CA container
Account	Allow	Deny	Inherit	Right	On Property
During KMS install
MACHINE$				DS_AM_FULL_CONTROL
Authenticated Users				STANDARD_RIGHTS_READ \| ACTRL_DS_READ_PROP

Table B-10: Permissions set on the Connections container within each routing group
Account	Allow	Deny	Inherit	Right	On Property
During server install
Exchange Domain Servers				DS_AM_FULL_CONTROL