You control access to Exchange objects by setting permissions on an organization or administrative group with Exchange Administration Delegation Wizard. This sets permissions for all objects within the organization or administrative group.
You can also set permissions on some Exchange objects individually. These objects include public folder trees, address lists, MDBs, protocols, and servers. For these objects, Exchange provides a set of Exchange-specific permissions that you can use in addition to the standard Windows 2000 permissions. The Exchange-specific permissions are called extended permissions. Exchange adds the extended permissions to the standard Windows 2000 permissions for public folder trees, address lists, MDBs, protocols, or servers.
You can view and change both standard Windows 2000 permissions and extended permissions on the Security tab for public folder trees, address lists, MDBs, protocols, or servers. The Windows 2000 permissions are listed first, followed by the extended permissions.
Exchange defines the following extended permissions:
| Permission | Description |
|---|---|
| Add PF to admin group | This permission is used to indicate which users are allowed to add a public folder to an administrative group. This permission is enforced by the Information Store service. |
| Administer Information Store | This permission is used by the Information Store service to determine if a user has permissions to perform various operations. |
| Create named properties in Information Store | This permission is used by the Information Store service to determine if a user has permissions to create named properties. A named property is a store attribute that can be accessed by name. Examples include display name, locale, deleted item flags, and activation schedule. |
| Create public folder | This permission is used to indicate which users are allowed to create a public folder under this folder. This permission is enforced by the Information Store service. |
| Create top level public folder | This permission is used to indicate which users are allowed to create a top level public folder on this public folder hierarchy. This permission is enforced by the Information Store service. |
| Full store access | This permission is used to indicate which users are allowed full access to Information Store. This permission is enforced by the Information Store service. |
| Mail-enable public folder | This permission is used to indicate which users can make a public folder mail-enabled. This permission is enforced by the Information Store service. |
| Modify public folder ACL | This permission is used to determine a
user has permission to modify a public folder |
| Modify public folder admin ACL | This permission is used to determine if a user has permission to modify a public folder administrative ACL. |
| Modify public folder deleted item retention | This permission is used to indicate which users are allowed to modify the length of time (in days) that items deleted from the public folder are retained. This permission is enforced by the Information Store service. |
| Modify public folder expiration | This permission is used to indicate which users are allowed to modify the expiration date of content in the public folder. This permission is enforced by the Information Store service. |
| Modify public folder quotas | This permission is used to indicate which users are allowed to modify the size limit of the public folder. This permission is enforced by the Information Store service. |
| Modify public folder replica list | This permission is used to indicate which users are allowed to modify the replica list. An administrator must be given this permission on the administrative group to which this public folder points and the public database to which the replica should be added. This permission is enforced by the Information Store service. |
| Open mail send queue | This permission is used by Information Store to determine if a user has permission to open the Mail Send queue that is used for queuing messages to and from Information Store. Only the Exchange Servers account is typically granted this permission. |
| Read all metabase properties | This permission is used to indicate which users are allowed to read the Internet Information Services (IIS) metabase, the database that stores configuration values for IIS. |
| Remove PF to admin group | This permission is used to indicate which users are allowed to remove a public folder to an administrative group. This permission is enforced by the Information Store service. |
| View information store status | This permission is used by the Information Store service to determine if a user has permission to view Information Store data, such as logon information and resources. |