Permissions on Objects in the Exchange Configuration Tree | Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

Permissions listed in this section are applied to objects contained in the Exchange configuration container or its children. The configuration container s Active Directory path is cn=Microsoft Exchange,cn=Services,cn=Configuration,dc= domain .

Table B-2: Permissions Set on the Microsoft Exchange Container
Account	Allow/Deny	Inherit	Right	Notes
During forestprep
Authenticated Users	Allow		List Contents, Read All Properties
Designated administrator accounts	Allow		Full_Control
During server installation
Exchange Domain Servers	Allow	Yes	Read PermissionsRead All PropertiesList Contents	Allows Exchange servers to read configuration information from the configuration naming context
During Active Directory Connector (ADC) installation
Exchange services	Allow	Yes	Full Control	Allow ADC servers to create and delete objects

Table B-3: Permissions Set on the ADC Connection Agreement Container
Account	Allow/Deny	Inherit	Right	Notes
During server installation
Exchange Domain servers	Allow	Yes	Full Control

Table B-4: Permissions Set on the Organization Container
Account	Allow/Deny	Inherit	Right	Notes
During forestprep
Authenticated Users	Allow		Read All PropertiesACTRL_DS_LIST_OBJECT	Read All PropertiesACTRL_DS_LIST_OBJECT
Designated administrator account	Deny	Yes	Send As	Exchange administrators are not allowed to open users mailboxes
Designated admininstrator account	Deny	Yes	Receive As	Exchange administrators are not allowed to open mailboxes
During server installation
Enterprise Admins	Deny	Yes	Send As	Windows administrators are not allowed to open mailboxes
Enterprise Admins	Deny	Yes	Receive As	Windows administrators are not allowed to open mailboxes
Domain Admins of root domain	Deny	Yes	Send As	Windows administrators are not allowed to open mailboxes
Domain Admins of root domain	Deny	Yes	Receive As	Windows administrators are not allowed to open mailboxes
Everyone	Allow	Yes	Create Top-Level Public Folder
Everyone	Allow	Yes	Create Public Folder
Everyone	Allow	Yes	Create Named Properties in the Information Store
Everyone	Allow	Yes	Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT	Applies to object class:msExchPrivateMDB
Everyone	Allow	Yes	Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT	Applies to object class:msExchPublicMDB
Everyone	Allow	Yes	Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT	Applies to object class: mTA
ANONYMOUS LOGON	Allow	Yes	Create Top-Level Public Folder
ANONYMOUS LOGON	Allow	Yes	Create Public Folder	In Microsoft Windows Server 2003, Everyone no longer includes Anonymous Logon; this right must be explicitly granted
ANONYMOUS LOGON	Allow	Yes	Create Named Properties in the Information Store	Applies to object class: msExchPrivateMDB
ANONYMOUS LOGON	Allow	Yes	Read Permissions Read All PropertiesList ContentsACTRL_DS_LIST_OBJECT	Applies to object class: msExchPrivateMDB
ANONYMOUS LOGON	Allow	Yes	Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT	Applies to object class: msExchPublicMDB
ANONYMOUS LOGON	Allow	Yes	Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT	Applies to object class: mTA
Exchange Domain Servers	Allow	Yes	All Extended Rights
Exchange Domain Servers	Allow	Yes	Create All Child Objects
Exchange Domain Servers	Allow	Yes	Write Property	Property Set:Public Information
Exchange Domain Servers	Allow	Yes	Write Property	Property Set:Personal Information. Required to maintain mail-enabled config objects (for example, the system attendant)
Exchange Domain Servers	Allow	Yes	Full Control
When enabling Site Replication Service (SRS; ACE is removed when SRS is disabled)
MACHINE$	Allow	Yes	Create All Child ObjectsDelete All Child ObjectsACTRL_DS_LIST_OBJECT	SRS must be able to create and delete admin groups

Table B-5: Permissions Set on the Address Lists Container
Account	Allow/Deny	Inherit	Right	Notes
During server installation
Authenticated Users	Allow	Yes	List Contents

Table B-6: Permissions Set on the Addressing Container
Account	Allow/Deny	Inherit	Right	Notes
During server installation
Exchange Domain Servers	Allow	Yes	Full Control

Table B-7: Permissions Set on the Recipient Update Services Container
Account	Allow/Deny	Inherit	Right	Notes
During server installation
Exchange Domain Servers	Allow	Yes	Full Control

Table B-8: Permissions Set on Individual Administrative Groups Within the Administrative Groups Container
Account	Allow/Deny	Inherit	Right	Notes
During server installation (set on attribute msExchPFDefaultAdminACL)
Authenticated Users	Allow	Yes	Create Public Folder

Table B-9: Permissions Set on the Default Top-Level Public Folder Hierarchy
Account	Allow/Deny	Inherit	Right	Notes
During server installation (set on attribute msExchPFDefaultAdminACL)
Authenticated Users	Allow	Yes	Create Public Folder

Table B-10: Permissions Set on the Connections Container Within Each Routing Group
Account	Allow/Deny	Inherit	Right	Notes
During server installation
Exchange Domain Servers	Allow	Yes	Full Control

Table B-11: Permissions Set on the Servers Container Within Each Routing Group
Account	Allow/Deny	Inherit	Right	Notes
During server installation or Exchange Server 2003 forestprep
Exchange Domain Servers	Deny	Yes	Receive As	Servers never need to read mail in other servers mail databases
During server installation
Authenticated Users	Allow		List Contents