Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)
In these tables, I ve listed the rights by the names used on the ADSIEdit Security property page, under the Advanced view, on the View/Edit tab. The ADSIEdit Security property page lists a much more condensed view of the rights. The LDP tool displays the access control list (ACL) as a numerical value that you can interpret by referring to Table B-1. The setup code refers to the rights by predefined constants, which I ve included because they re often referred to in other documents. Extended rights are custom rights specified by Exchange and other applications; they have no meaning to Microsoft Windows, but are stored and persisted just like other ACEs. It s up to each application to enforce extended rights based on the ACE contents it finds. Examples of Exchange extended rights are Create Public Folder, or Create Named Properties in the Information Store.
| ADSIEdit Summary Page | ADSIEdit Advanced Page | Individual Rights | Mask Value in LDP |
|---|---|---|---|
| Full Control | Full Control | WRITE_OWNER WRITE_DAC READ_CONTROL DELETE ACTRL_DS_CONTROL_ACCESS ACTRL_DS_LIST_OBJECT ACTRL_DS_DELETE_TREE ACTRL_DS_WRITE_PROP ACTRL_DS_READ_PROP ACTRL_DS_SELF ACTRL_DS_LIST ACTRL_DS_DELETE_CHILD ACTRL_DS_CREATE_CHILD | 0x000F01FF |
| Read | List Contents plus Read All Properties plus Read Permissions | ACTRL_DS_LIST ACTRL_DS_READ_PROP READ_CONTROL | 0x00020014 |
| Write | Write All Properties plus All Validated Writes | ACTRL_DS_WRITE_PROP ACTRL_DS_SELF | 0x00000028 |
|
| List Contents | ACTRL_DS_LIST | 0x00000004 |
|
| Read All Properties | ACTRL_DS_READ_PROP | 0x00000010 |
|
| Write All Properties | ACTRL_DS_WRITE_PROP | 0x00000020 |
|
| Delete | DELETE | 0x00010000 |
|
| Delete Subtree | ACTRL_DS_DELETE_TREE | 0x00000040 |
|
| Read Permissions | READ_CONTROL | 0x00020000 |
|
| Modify Permissions | WRITE_DAC | 0x00040000 |
|
| Modify Owner | WRITE_OWNER | 0x00080000 |
|
| All Validated Writes | ACTRL_DS_SELF | 0x00000008 |
|
| All Extended Rights | ACTRL_DS_CONTROL_ACCESS | 0x00000100 |
| Create All Child Objects | Create All Child Objects | ACTRL_DS_CREATE_CHILD | 0x00000001 |
| Delete All Child Objects | Delete All Child Objects | ACTRL_DS_DELETE_CHILD | 0x00000002 |
|
|
| ACTRL_DS_LIST_OBJECT | 0x00000080 |
Permissions on Objects in the Exchange Configuration Tree
-
Table B-2. Permissions set on the Microsoft Exchange container
-
Table B-3. Permissions set on the ADC Connection Agreement container
-
Table B-4. Permissions set on the Organization container
-
Table B-5. Permissions set on the Address Lists container
-
Table B-6. Permissions set on the Addressing container
-
Table B-7. Permissions set on the Recipient Update Services container
-
Table B-8. Permissions set on individual administrative groups within the Administrative Groups container
-
Table B-9. Permissions set on the default top-level public folder hierarchy
-
Table B-10. Permissions set on the Connections container within each routing group
-
Table B-11. Permissions set on the Servers container within each routing group
Permissions on the Server Object and Its Children
-
Table B-12. Permissions set on the Server object
-
Table B-13. Permissions set on the server-specific Protocols container
-
Table B-14. Permissions set on the System Attendant object
-
Table B-15. Permissions set on the MTA object
Permissions on Other Objects in the Configuration Tree
-
Table B-16. Permissions set on the Deleted Items container (cn=Deleted Items,cn=Configuration,dc= domain )
-
Table B-17. Permissions set on the Active Directory Connector object (cn=Active Directory Connector,cn=Exchange Settings,cn= server ,cn=Servers,cn= site ,cn=sites,cn=Configuration, )
Permissions on Objects in the Domain Naming Context
-
Table B-18. Permissions set on the Domain container (dc= domain )
-
Table B-19. Permissions set on the domain proxy container (cn=Microsoft Exchange System Objects,dc= domain )
-
Table B-20. Permissions set on the Pre-Windows 2000 “Compatible Access Group (cn=Pre-Windows 2000 Compatible Access, cn=Builtin, dc= domain )
-
Table B-21. Permissions set on the Exchange Enterprise Servers group
-
Table B-22. Permissions set on the Exchange Domain Servers group
Permissions Set on File System Objects
-
Table B-23. Permissions applied to installation directory
-
Table B-24. Permissions applied to mailroot directory
-
Table B-25. Permissions applied to Exchweb directory
-
Table B-26. Permissions applied to Exchweb\Bin directory
-
Table B-27. Permissions applied to Exchweb\Bin\Auth directory
-
Table B-28. Permissions applied to other Exchweb subdirectories