Permissions on Objects in the Domain Naming Context

During domainprep

Exchange Enterprise Servers

Allow

Yes

Write Property

Applied to Public-Information

(property set); allows maintenance of mail- enabled user attributes

Exchange Enterprise Servers

Allow

Yes

Write Property

Applied to Personal-Information

(property set)

Exchange Enterprise Servers

Allow

Yes

Write Property

Applied to groupType property set

Exchange Enterprise Servers

Allow

Yes

Write Property

Applied to displayName property

Exchange Enterprise Servers

Allow

Yes

Manage Replication Topology

Allows RUS to track replication changes

Exchange Enterprise Servers

Allow

Yes

List Contents

Duplicates permissions granted to Pre-Windows 2000 “compatible access group

Exchange Enterprise Servers

Allow

Yes

Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT

Applies to user objects

Exchange Enterprise Servers

Allow

Yes

Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT

Applies to group objects

Exchange Enterprise Servers

Allow

Yes

Modify Permissions

Applies to group objects; allows maintenance of ACLs for groups whose membership is hidden

During domainprep against a Windows Server 2003 schema

Exchange Enterprise Servers

Allow

Yes

Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT

Applies to inetOrgPerson objects

During domainprep

Exchange Enterprise Servers

Allow

Yes

Full Control

Allows adding, deleting, and modifying proxy objects

Exchange Domain Servers

Allow

Yes

Full Control

Allows adding, deleting, and modifying proxy objects

Authenticated Users

Allow

Yes

Read Permissions

Allows access to public folder objects

Authenticated Users

Allow

Yes

Read Property

Applies to garbageCollPeriod property

Authenticated Users

Allow

Yes

Read Property

Applies to adminDisplayName property

Authenticated Users

Allow

Yes

Read Property

Applies to modifyTimeStamp

During domainprep

Authenticated Users

Allow

Yes

Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_OBJECT

During RUS operation

All delegated Full Administrators at organization and administrative group levels

Allow

Yes

Full Control

All delegated Full Administrators at organization and administrative group levels

Allow

Yes

Read PermissionsList ContentsAll Validated WritesRead All PropertiesWrite All PropertiesCreate All Child ObjectsDelete All Child Objects

All delegated org-level and admin- group-level View-Only Admins

Allow

Yes

Read PermissionsRead All PropertiesList ContentsACTRL_DS_LIST_ OBJECT

During domainprep

Exchange Enterprise Servers

Allow

Yes

Write Property

Applies only to member property; RUS needs this to add Exchange Domain Servers to each domain s pre-Windows 2000 group

During domainprep

All existing organization- level Full Exchange Admins

Allow

Full Control

Administrators must be able to add or remove machine accounts when running Setup

Exchange Enterprise Servers

Allow

Full Control

During RUS operation

All delegated organization-level Exchange Full Admins

Allow

Yes

Full Control

During domainprep

All existing organization- level Full Exchange Admins

Allow

Full Control

Administrators running Setup must be able to change group membership

Exchange Enterprise Servers

Allow

Full Control

During RUS operation

All delegated organization-level Exchange Full Admins

Allow

Yes

Full Control