In these tables, I ve listed the rights by the names used on the ADSIEdit Security property page, under the Advanced view, on the View/Edit tab. The ADSIEdit Security property page lists a much more condensed view of the rights. The LDP tool displays the access control list (ACL) as a numerical value that you can interpret by referring to Table B-1. The setup code refers to the rights by predefined constants, which I ve included because they re often referred to in other documents. Extended rights are custom rights specified by Exchange and other applications; they have no meaning to Microsoft Windows, but are stored and persisted just like other ACEs. It s up to each application to enforce extended rights based on the ACE contents it finds. Examples of Exchange extended rights are Create Public Folder, or Create Named Properties in the Information Store.
ADSIEdit Summary Page | ADSIEdit Advanced Page | Individual Rights | Mask Value in LDP |
---|---|---|---|
Full Control | Full Control | WRITE_OWNER WRITE_DAC READ_CONTROL DELETE ACTRL_DS_CONTROL_ACCESS ACTRL_DS_LIST_OBJECT ACTRL_DS_DELETE_TREE ACTRL_DS_WRITE_PROP ACTRL_DS_READ_PROP ACTRL_DS_SELF ACTRL_DS_LIST ACTRL_DS_DELETE_CHILD ACTRL_DS_CREATE_CHILD | 0x000F01FF |
Read | List Contents plus Read All Properties plus Read Permissions | ACTRL_DS_LIST ACTRL_DS_READ_PROP READ_CONTROL | 0x00020014 |
Write | Write All Properties plus All Validated Writes | ACTRL_DS_WRITE_PROP ACTRL_DS_SELF | 0x00000028 |
| List Contents | ACTRL_DS_LIST | 0x00000004 |
| Read All Properties | ACTRL_DS_READ_PROP | 0x00000010 |
| Write All Properties | ACTRL_DS_WRITE_PROP | 0x00000020 |
| Delete | DELETE | 0x00010000 |
| Delete Subtree | ACTRL_DS_DELETE_TREE | 0x00000040 |
| Read Permissions | READ_CONTROL | 0x00020000 |
| Modify Permissions | WRITE_DAC | 0x00040000 |
| Modify Owner | WRITE_OWNER | 0x00080000 |
| All Validated Writes | ACTRL_DS_SELF | 0x00000008 |
| All Extended Rights | ACTRL_DS_CONTROL_ACCESS | 0x00000100 |
Create All Child Objects | Create All Child Objects | ACTRL_DS_CREATE_CHILD | 0x00000001 |
Delete All Child Objects | Delete All Child Objects | ACTRL_DS_DELETE_CHILD | 0x00000002 |
|
| ACTRL_DS_LIST_OBJECT | 0x00000080 |
Table B-2. Permissions set on the Microsoft Exchange container
Table B-3. Permissions set on the ADC Connection Agreement container
Table B-4. Permissions set on the Organization container
Table B-5. Permissions set on the Address Lists container
Table B-6. Permissions set on the Addressing container
Table B-7. Permissions set on the Recipient Update Services container
Table B-8. Permissions set on individual administrative groups within the Administrative Groups container
Table B-9. Permissions set on the default top-level public folder hierarchy
Table B-10. Permissions set on the Connections container within each routing group
Table B-11. Permissions set on the Servers container within each routing group
Table B-12. Permissions set on the Server object
Table B-13. Permissions set on the server-specific Protocols container
Table B-14. Permissions set on the System Attendant object
Table B-15. Permissions set on the MTA object
Table B-16. Permissions set on the Deleted Items container (cn=Deleted Items,cn=Configuration,dc= domain )
Table B-17. Permissions set on the Active Directory Connector object (cn=Active Directory Connector,cn=Exchange Settings,cn= server ,cn=Servers,cn= site ,cn=sites,cn=Configuration, )
Table B-18. Permissions set on the Domain container (dc= domain )
Table B-19. Permissions set on the domain proxy container (cn=Microsoft Exchange System Objects,dc= domain )
Table B-20. Permissions set on the Pre-Windows 2000 “Compatible Access Group (cn=Pre-Windows 2000 Compatible Access, cn=Builtin, dc= domain )
Table B-21. Permissions set on the Exchange Enterprise Servers group
Table B-22. Permissions set on the Exchange Domain Servers group
Table B-23. Permissions applied to installation directory
Table B-24. Permissions applied to mailroot directory
Table B-25. Permissions applied to Exchweb directory
Table B-26. Permissions applied to Exchweb\Bin directory
Table B-27. Permissions applied to Exchweb\Bin\Auth directory
Table B-28. Permissions applied to other Exchweb subdirectories