Permissions listed in this section are applied to objects contained in the Exchange configuration container or its children. The configuration container s Active Directory path is cn=Microsoft Exchange,cn=Services,cn=Configuration,dc= domain .
Account | Allow/Deny | Inherit | Right | Notes |
---|---|---|---|---|
During forestprep | ||||
Authenticated Users | Allow | List Contents, Read All Properties | ||
Designated administrator accounts | Allow | Full_Control | ||
During server installation | ||||
Exchange Domain Servers | Allow | Yes | Read PermissionsRead All PropertiesList Contents | Allows Exchange servers to read configuration information from the configuration naming context |
During Active Directory Connector (ADC) installation | ||||
Exchange services | Allow | Yes | Full Control | Allow ADC servers to create and delete objects |
Account | Allow/Deny | Inherit | Right | Notes |
---|---|---|---|---|
During server installation | ||||
Exchange Domain servers | Allow | Yes | Full Control |
Account | Allow/Deny | Inherit | Right | Notes |
---|---|---|---|---|
During forestprep | ||||
Authenticated Users | Allow | Read All PropertiesACTRL_DS_LIST_OBJECT | Read All PropertiesACTRL_DS_LIST_OBJECT | |
Designated administrator account | Deny | Yes | Send As | Exchange administrators are not allowed to open users mailboxes |
Designated admininstrator account | Deny | Yes | Receive As | Exchange administrators are not allowed to open mailboxes |
During server installation | ||||
Enterprise Admins | Deny | Yes | Send As | Windows administrators are not allowed to open mailboxes |
Enterprise Admins | Deny | Yes | Receive As | Windows administrators are not allowed to open mailboxes |
Domain Admins of root domain | Deny | Yes | Send As | Windows administrators are not allowed to open mailboxes |
Domain Admins of root domain | Deny | Yes | Receive As | Windows administrators are not allowed to open mailboxes |
Everyone | Allow | Yes | Create Top-Level Public Folder | |
Everyone | Allow | Yes | Create Public Folder | |
Everyone | Allow | Yes | Create Named Properties in the Information Store | |
Everyone | Allow | Yes | Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT | Applies to object class:msExchPrivateMDB |
Everyone | Allow | Yes | Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT | Applies to object class:msExchPublicMDB |
Everyone | Allow | Yes | Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT | Applies to object class: mTA |
ANONYMOUS LOGON | Allow | Yes | Create Top-Level Public Folder | |
ANONYMOUS LOGON | Allow | Yes | Create Public Folder | In Microsoft Windows Server 2003, Everyone no longer includes Anonymous Logon; this right must be explicitly granted |
ANONYMOUS LOGON | Allow | Yes | Create Named Properties in the Information Store | Applies to object class: msExchPrivateMDB |
ANONYMOUS LOGON | Allow | Yes | Read Permissions Read All PropertiesList ContentsACTRL_DS_LIST_OBJECT | Applies to object class: msExchPrivateMDB |
ANONYMOUS LOGON | Allow | Yes | Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT | Applies to object class: msExchPublicMDB |
ANONYMOUS LOGON | Allow | Yes | Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT | Applies to object class: mTA |
Exchange Domain Servers | Allow | Yes | All Extended Rights | |
Exchange Domain Servers | Allow | Yes | Create All Child Objects | |
Exchange Domain Servers | Allow | Yes | Write Property | Property Set:Public Information |
Exchange Domain Servers | Allow | Yes | Write Property | Property Set:Personal Information. Required to maintain mail-enabled config objects (for example, the system attendant) |
Exchange Domain Servers | Allow | Yes | Full Control | |
When enabling Site Replication Service (SRS; ACE is removed when SRS is disabled) | ||||
MACHINE$ | Allow | Yes | Create All Child ObjectsDelete All Child ObjectsACTRL_DS_LIST_OBJECT | SRS must be able to create and delete admin groups |
Account | Allow/Deny | Inherit | Right | Notes |
---|---|---|---|---|
During server installation | ||||
Authenticated Users | Allow | Yes | List Contents |
Account | Allow/Deny | Inherit | Right | Notes |
---|---|---|---|---|
During server installation | ||||
Exchange Domain Servers | Allow | Yes | Full Control |
Account | Allow/Deny | Inherit | Right | Notes |
---|---|---|---|---|
During server installation | ||||
Exchange Domain Servers | Allow | Yes | Full Control |
Account | Allow/Deny | Inherit | Right | Notes |
---|---|---|---|---|
During server installation (set on attribute msExchPFDefaultAdminACL) | ||||
Authenticated Users | Allow | Yes | Create Public Folder |
Account | Allow/Deny | Inherit | Right | Notes |
---|---|---|---|---|
During server installation (set on attribute msExchPFDefaultAdminACL) | ||||
Authenticated Users | Allow | Yes | Create Public Folder |
Account | Allow/Deny | Inherit | Right | Notes |
---|---|---|---|---|
During server installation | ||||
Exchange Domain Servers | Allow | Yes | Full Control |
Account | Allow/Deny | Inherit | Right | Notes |
---|---|---|---|---|
During server installation or Exchange Server 2003 forestprep | ||||
Exchange Domain Servers | Deny | Yes | Receive As | Servers never need to read mail in other servers mail databases |
During server installation | ||||
Authenticated Users | Allow | List Contents |