Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1
Topic Last Modified: 2009-12-08
This topic describes the permissions that are required to set up a Microsoft Exchange Server 2007 organization.
In some cases, the access control list (ACL) is not applied on the usual property, ntSecurityDescriptor, but on anther property, such as msExchMailboxSecurityDescriptor. The directory service cannot enforce security that is not specified in the Microsoft Windows security descriptor. In most cases, these ACLs are replicated to store ACLs on appropriate objects by the store service. Unfortunately, there is no tool to view these ACLs as anything other than raw binary data.
The columns of each permissions table include the following information:
- Account The security principal granted
or denied the permissions.
- ACE type Access control entry (ACE)
type
- Allow ACE
- Deny ACE
- Allow ACE
- Inheritance The type of inheritance
used for child objects.
- All indicates that the permissions apply to the object
and all sub-objects.
- Desc indicates the permissions apply to the object class
listed in the On Property/Applies To row.
- None indicates those permissions only apply the
object.
- All indicates that the permissions apply to the object
and all sub-objects.
- Permissions The permissions granted to
the account.
- On Property/Applies To In some cases,
permissions apply only to a given property, property set, or object
class. These limited permissions are specified here.
- Names in italic indicate the attribute or attributes to
which a Read Property or Write Property applies.
- Names in plain text indicate the object class or classes to
which an ACE is inherited.
- Names in bold indicate the class name to which Create
Child or Delete Child permissions apply.
- Names in italic indicate the attribute or attributes to
which a Read Property or Write Property applies.
- Comments When applicable, this column
explains why the permissions are required or provides other
information about the permissions.
The permissions are generally listed in the table by the names that are used on the Active Directory Service Interfaces (ADSI) Edit (AdsiEdit.msc) Security property page in the Advanced view on the View/Edit tab. The ADSI Edit Security property page lists a much more condensed view of the permissions. The LDP tool (Ldp.exe) displays the access mask directly as a numeric value. The setup code refers to the permissions by predefined constants.
The following table shows the relationships between these values.
ADSI Edit Summary page | ADSI Edit Advanced view, View/Edit tab | ACL entries applied to a given object | Binary value (access mask in LDP) |
---|---|---|---|
Full Control |
Full Control |
WRITE_OWNER | WRITE_DAC | READ_CONTROL | DELETE | ACTRL_DS_CONTROL_ACCESS | ACTRL_DS_LIST_OBJECT | ACTRL_DS_DELETE_TREE | ACTRL_DS_WRITE_PROP | ACTRL_DS_READ_PROP | ACTRL_DS_SELF | ACTRL_DS_LIST | ACTRL_DS_DELETE_CHILD | ACTRL_DS_CREATE_CHILD |
0x000F01FF |
Read |
List Contents + List Object + Read All Properties + Read Permissions |
ACTRL_DS_LIST | ACTRL_DS_READ_PROP | READ_CONTROL |
0x00020014 |
Write |
Write All Properties + All Validated Writes |
ACTRL_DS_WRITE_PROP | ACTRL_DS_SELF |
0x00000028 |
|
List Contents |
ACTRL_DS_LIST |
0x00000004 |
|
Read All Properties |
ACTRL_DS_READ_PROP |
0x00000010 |
|
Write All Properties |
ACTRL_DS_WRITE_PROP |
0x00000020 |
|
Delete |
DELETE |
0x00010000 |
|
Delete Subtree |
ACTRL_DS_DELETE_TREE |
0x00000040 |
|
Read Permissions |
READ_CONTROL |
0x00020000 |
|
Modify Permissions |
WRITE_DAC |
0x00040000 |
|
Modify Owner |
WRITE_OWNER |
0x00080000 |
|
All Validated Writes |
ACTRL_DS_SELF |
0x00000008 |
|
All Extended Rights |
ACTRL_DS_CONTROL_ACCESS |
0x00000100 |
Create All Child Objects |
Create All Child Objects |
ACTRL_DS_CREATE_CHILD |
0x00000001 |
Delete All Child Objects |
Delete All Child Objects |
ACTRL_DS_DELETE_CHILD |
0x00000002 |
|
|
ACTRL_DS_LIST_OBJECT |
0x00000080 |
Extended rights are custom rights specified by individual applications. They are specified in the ACL. However, they are meaningless to the Active Directory directory service. The particular application enforces any extended rights. Examples of Exchange extended rights are "Create public folder" or "Create named properties in the information store."
Note: |
---|
For information about permissions that are set during a Microsoft Exchange Server 2003 installation, see Working with Active Directory Permissions in Exchange Server 2003. |
Prepare Legacy Exchange Permissions
The permissions tables in this section show what permissions are set when you execute the setup /PrepareLegacyExchangePermissions command.
Distinguished name of the object: DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Enterprise Servers |
Allow ACE |
All |
Write Property |
Exchange Information |
|
Authenticated Users |
Allow ACE |
All |
Read Property |
Exchange Information |
|
Distinguished name of the object: CN=AdminSDHolder,CN=System,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Enterprise Servers |
Allow ACE |
All |
Read Property Write Property |
Exchange Information |
|
Distinguished name of the object: CN=<organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Domain Servers |
Allow ACE |
All |
Write Property |
Exchange Information |
|
Prepare Active Directory Permissions
The permissions tables in this section show the permissions that are set when you execute the Setup /PrepareAD command.
Microsoft Exchange Container Permissions
The following table shows the permissions that are set on the Microsoft Exchange container within the configuration partition.
Distinguished name of the object: CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Installation Account |
Allow ACE |
All |
Full Control |
|
This is the account that is used to run /PrepareAD |
Exchange Servers |
Allow ACE |
All |
Read |
|
|
Authenticated Users |
Allow ACE |
None |
Read Property List Contents |
|
|
Exchange Organization Administrators |
Allow ACE |
All |
Full Control |
|
|
Microsoft Exchange Organization Container Permissions
The permissions tables in this section show the permissions that are set on the Microsoft Exchange Organization and sub-containers within the configuration partition.
Distinguished name of the object: CN=<organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Enterprise Administrator Root Domain Administrator Installation Account |
Deny ACE |
All |
Send As Receive As |
|
Windows administrators are not allowed to open mailboxes. |
Enterprise Administrator Root Domain Administrator Installation Account |
Deny ACE |
All |
Store Transport Access Store Constrained Delegation Store Read Access Store Read Write Access Exchange Web Services Impersonation Exchange Web Services Token Serialization |
|
Extended right |
Exchange Servers |
Deny ACE |
All |
Store Transport Access Store Constrained Delegation Store Read Only Access Store Read and Write Access |
|
Extended right |
Authenticated Users |
Deny ACE |
Desc |
Read Property |
msExchAvailabilityUserPassword / msExchAvailabilityAddressSpace |
|
Authenticated Users |
Allow ACE |
None |
Read Property List Object |
|
|
Everyone and Anonymous |
Allow ACE |
All |
Create Public Folder |
|
Extended right |
Everyone and Anonymous |
Allow ACE |
All |
Create named properties in the information store |
|
Extended right |
Everyone and Anonymous |
Allow ACE |
All |
Read |
msExchPrivateMDB |
|
Everyone and Anonymous |
Allow ACE |
All |
Read |
msExchPublicMDB |
|
Exchange Servers |
Allow ACE |
All |
All Extended rights |
|
|
Exchange Servers |
Allow ACE |
All |
Write Property |
groupT |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchMailboxSecurityDescriptor |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchUMServerWritableFlags |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchDatabaseCreated |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
Public Information |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchUserCulture |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
siteFolderGUID |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchMobileMailboxFlags |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
siteFolderServer |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchEDBOffline |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
userCertificate |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
Exchange Personal Information |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
Exchange Information |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchPatchMDB |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
publicDelegates |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchUMSpokenName |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchUMPinChecksum |
|
Exchange Servers |
Allow ACE |
Desc |
Read |
siteAddressing |
|
Schema Administrators |
Deny ACE |
All |
Exchange Web Services Impersonation Exchange Web Services Token Serialization |
|
Extended right |
Exchange Organization Administrators |
Deny ACE |
All |
Send As Receive As |
|
Exchange administrators are not allowed to open mailboxes. |
Exchange Organization Administrators |
Deny ACE |
All |
Exchange Web Services Impersonation Exchange Web Services Token Serialization |
|
Extended right |
Exchange View-Only Administrators |
Allow ACE |
All |
View information store status |
|
Extended right |
Exchange Public Folder Administrators |
Allow ACE |
All |
Read |
|
|
Exchange Public Folder Administrators |
Allow ACE |
All |
Create top level public folder |
|
Extended Right |
Exchange Public Folder Administrators |
Allow ACE |
All |
View information store status |
|
Extended Right |
Exchange Public Folder Administrators |
Allow ACE |
All |
Administer information store |
|
Extended Right |
Exchange Public Folder Administrators |
Allow ACE |
All |
Create named properties in the information store |
|
Extended Right |
Exchange Public Folder Administrators |
Allow ACE |
All |
Modify public folder ACL |
|
Extended Right |
Exchange Public Folder Administrators |
Allow ACE |
All |
Modify public folder quotas |
|
Extended Right |
Exchange Public Folder Administrators |
Allow ACE |
All |
Modify public folder admin ACL |
|
Extended Right |
Exchange Public Folder Administrators |
Allow ACE |
All |
Modify public folder expiry |
|
Extended Right |
Exchange Public Folder Administrators |
Allow ACE |
All |
Modify public folder replica list |
|
Extended Right |
Exchange Public Folder Administrators |
Allow ACE |
All |
Modify public folder deleted item retention period |
|
Extended Right |
Exchange Public Folder Administrators |
Allow ACE |
All |
Create public folder |
|
Extended Right |
Distinguished name of the object: CN=Address Lists Container,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Authenticated Users |
Allow ACE |
All |
List Contents |
|
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
msExchLastAppliedRecipientFilter msExchRecipientFilterFlags |
|
Exchange Public Folder Administrators |
Allow ACE |
All |
Write Property |
msExchLastAppliedRecipientFilter msExchRecipientFilterFlags |
Distinguished name of the object: CN=Offline Address Lists,CN=Address Lists Container, CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Authenticated Users |
Allow ACE |
All |
Download Offline Address Book |
|
|
Distinguished name of the object: CN=Recipient Update Services,CN=Address Lists Container, CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Servers |
Allow ACE |
All |
Full Control |
|
|
Distinguished name of the object: CN=Addressing,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Authenticated users |
Allow ACE |
All |
Read |
|
|
Distinguished name of the object: CN=Recipient Policies,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
msExchLastAppliedRecipientFilter msExchRecipientFilterFlags |
|
Exchange Public Folder Administrators |
Allow ACE |
All |
Write Property |
msExchLastAppliedRecipientFilter msExchRecipientFilterFlags |
Distinguished name of the object: CN=Message Classifications,CN=Transport Settings, CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Authenticated Users |
Allow ACE |
All |
List Contents |
|
|
Distinguished name of the object: CN=ExACPrivileged,CN=<language>,CN=Message Classifications,CN=Transport Settings, CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Authenticated Users |
Allow ACE |
All |
Read |
|
|
Distinguished name of the object: CN=ExCompanyConfidential,CN=<language>,CN=Message Classifications,CN=Transport Settings, CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Authenticated Users |
Allow ACE |
All |
Read |
|
|
Distinguished name of the object: CN=ExCompanyInternal,CN=<language>,CN=Message Classifications,CN=Transport Settings, CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Authenticated Users |
Allow ACE |
All |
Read |
|
|
Configuration Partition Container Permissions
The permissions tables in this section show the permissions that are set by the Setup /PrepareAD command on various containers within the configuration partition.
Distinguished name of the object: CN=Sites,CN=Configuration,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Organization Administrators |
Allow ACE |
All |
Write Property |
msExchTransportSiteFlags / site |
|
Exchange Organization Administrators |
Allow ACE |
All |
Write Property |
msExchCost / siteLink |
|
Distinguished name of the object: CN=Deleted Objects,CN=Configuration,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Servers |
Allow ACE |
All |
List Contents |
|
|
Exchange Organization Administrators |
Allow ACE |
All |
Read Write Permission |
|
|
Exchange Administrative Group Permissions
The Setup /PrepareAD command also configures the following permissions on the administrative groups within the organization.
Distinguished name of the object: CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Recipient Administrators |
Allow ACE |
Desc |
Access Recipient Update Service |
msExchExchangeServer |
Allows Exchange Recipient Administrators to stamp recipients with proxy address information. |
SYSTEM |
Allow ACE |
Desc |
Access Recipient Update Service |
msExchExchangeServer |
Allows the servers to stamp recipients with proxy address information. |
Exchange Public Folder Administrators |
Allow ACE |
Desc |
Access Recipient Update Service |
msExchExchangeServer |
Allows Exchange Public Folder Administrators to stamp recipients with proxy address information. |
Distinguished name of the object: CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Servers |
Deny ACE |
All |
Receive As |
|
Exchange Servers are not allowed to open mailboxes. |
Authenticated Users |
Allow ACE |
None |
List Contents |
|
|
Distinguished name of the object: CN=Advanced Security Settings,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Authenticated Users |
Allow ACE |
None |
List Contents |
|
|
Distinguished name of the object: CN=Encryption,CN=Advanced Security Settings,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Authenticated Users |
Allow ACE |
None |
Read Property |
|
|
Microsoft Exchange Security Groups Container Permissions
The permissions tables in this section show the permissions that are set on the Microsoft Exchange Security Groups container within the root domain partition.
Distinguished name of the object: OU=Microsoft Exchange Security Groups,DC=<root domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Trusted Subsystem |
Allow ACE |
All |
Full Control |
The Exchange 2007 SP2 Setup program creates this group and adds it to the local Administrators group. Exchange Trusted Subsystem is a highly privileged, universal security group that has read and write access to every Exchange-related object in the organization. For more information, see How to Install the Latest Service Pack or Update Rollup for Exchange 2007. |
|
Exchange Organization Administrators |
Allow ACE |
All |
Full Control |
|
|
Distinguished name of the object: CN=Exchange Organization Administrators,OU=Microsoft Exchange Security Groups,DC=<root domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Organization Administrators |
Allow ACE |
All |
Full Control |
|
|
Distinguished name of the object: CN=Exchange Recipient Administrators,OU=Microsoft Exchange Security Groups,DC=<root domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Organization Administrators |
Allow ACE |
All |
Full Control |
|
|
Distinguished name of the object: CN=Exchange View-Only Administrators,OU=Microsoft Exchange Security Groups,DC=<root domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Organization Administrators |
Allow ACE |
All |
Full Control |
|
|
Distinguished name of the object: CN=ExchangeLegacyInterop,OU=Microsoft Exchange Security Groups,DC=<root domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Organization Administrators |
Allow ACE |
All |
Full Control |
|
|
Distinguished name of the object: CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=<root domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Organization Administrators |
Allow ACE |
All |
Full Control |
|
|
Root Domain Administrators |
Allow ACE |
All |
Read Members Write Members |
|
|
Child Domain Administrators |
Allow ACE |
All |
Read Members Write Members |
|
|
Prepare Domain
The following tables show the permissions that are set when you run the Setup /PrepareDomain command.
Distinguished name of the object: DC=<domain> and CN=AdminSDHolder,CN=System,CN=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Authenticated Users |
Allow ACE |
All |
Read Property |
Exchange Information |
|
Exchange Servers |
Allow ACE |
All |
Read Property |
Exchange Personal Information |
|
Exchange Servers |
Allow ACE |
All |
Read Property |
Exchange Information |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
groupType |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
publicDelegates |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
userCertificate |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchUMPinChecksum |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchMobileMailboxFlags |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchMailboxSecurityDescriptor |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchUserCulture |
|
Exchange Servers |
Allow ACE |
All |
Write Property |
msExchUMServerWriteableFlags |
|
Exchange Servers |
Allow ACE |
All |
Read Property |
garbageCollPeriod |
|
Exchange Servers |
Allow ACE |
All |
Read Property |
userAccountControl |
|
Exchange Servers |
Allow ACE |
All |
Read Property |
canonicalName |
|
Exchange Servers |
Allow ACE |
All |
Read Property |
memberOf |
|
Exchange Servers |
Allow ACE |
Desc |
Modify Permissions |
group |
This permission was removed in Microsoft Exchange Server 2007 SP1 Setup /PrepareDomain. If you have already installed Microsoft Exchange Server 2007, you will have this right even after Exchange 2007 SP1 deployment. |
Exchange Servers |
Allow ACE |
All |
Change Password |
|
Extended right |
Exchange Recipient Administrators |
Allow ACE |
All |
Read |
|
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
Exchange Information |
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
Exchange Personal Information |
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
legacyExchangeDN |
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
displayName |
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
adminDisplayName |
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
displayNamePrintable |
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
publicDelegates |
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
garbageCollPeriod |
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
textEncodedORAddress |
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
showInAddressBook |
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
proxyAddresses |
|
Exchange Recipient Administrators |
Allow ACE |
All |
Write Property |
|
|
Exchange Recipient Administrators |
Allow ACE |
All |
Create Child Delete Child |
msExchDynamicDistributionList |
|
Exchange Recipient Administrators |
Allow ACE |
Desc |
Full Control |
msExchDynamicDistributionList |
|
Distinguished name of the object: CN=Microsoft Exchange System Objects,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Servers |
Allow ACE |
All |
Read Delete Tree |
|
|
Exchange Servers |
Deny ACE |
All |
Delete Tree |
|
Exchange 2003 RUS will remove Read ACEs from the Microsoft Exchange System Objects (MESO) container |
Exchange Servers |
Allow ACE |
All |
Create Child Delete Child |
publicFolder |
|
Exchange Servers |
Allow ACE |
Desc |
Write Property |
publicFolder |
|
Exchange Servers |
Allow ACE |
All |
Create Child |
msExchSystemMailbox |
|
Exchange Servers |
Allow ACE |
Desc |
Write Property |
msExchSystemMailbox |
|
Exchange Organization Administrators |
Allow ACE |
All |
Delete Child |
msExchSystemMailbox |
|
Authenticated Users |
Allow ACE |
All |
Read Permissions |
|
|
Authenticated Users |
Allow ACE |
All |
Read |
|
|
Authenticated Users |
Allow ACE |
All |
Read Property |
garbageCollPeriod adminDisplayName modifyTimeStamp |
|
Exchange Public Folder Administrators |
Allow ACE |
All |
Read Property Write Property |
Exchange-Information / publicFolder Exchange-Personal-Information / publicFolder legacyExchangeDN / publicFolder displayName / publicFolder displayNamePrintable / publicFolder publicDelegates / publicFolder garbageCollPeriod / publicFolder textEncodedORAddress / publicFolder showInAddressBook / publicFolder proxyAddresses / publicFolder mail / publicFolder pFContacts / publicFolder msDS-PhoneticDisplayName / publicFolder cn / publicFolder name / publicFolder |
Allows Exchange Public Folder Administrator role to manage mail-related properties of mail-enabled public folder proxy objects. |
Exchange Public Folder Administrators |
Allow ACE |
All |
Read Property |
Server Installation
During installation of the Hub Transport, Unified Messaging, Mailbox, and Client Access server roles, Setup adds the Exchange Organization Administrators security group to the administrator security group on the local computer so that members of the Administrator role group named Exchange Organization Administrators can manage the server.
The following permissions table shows the permissions that are set when you install the Hub Transport, Unified Messaging, Mailbox, or Client Access server roles on a nonclustered computer.
Distinguished name of the object: CN=<server>,CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
MACHINE$ |
Allow ACE |
All |
Read |
|
|
MACHINE$ |
Allow ACE |
None |
Write Property |
msExchServerSite msExchEdgeSyncCredential |
|
Exchange Servers |
Allow ACE |
All |
Store Transport Access Store Constrained Delegation Store Read Only Access Store Read and Write Access |
|
Extended right |
Authenticated Users |
Allow ACE |
None |
Read Properties |
|
ACE is defined in schema for msExchExchangeServer class objects defaultSecurityDescriptor |
Clustered Mailbox Server Installation
If you install a clustered mailbox server, the permissions that are listed in the following permissions table are set instead.
Distinguished name of the object: CN=<server>,CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
CLUSTEREDNODE$ |
Allow ACE |
All |
Read |
|
The first nodes installed have this permission. |
CLUSTEREDNODE$ |
Allow ACE |
All |
Full Control |
|
All nodes installed later in the Exchange cluster have this permission. |
CLUSTEREDNODE$ |
Allow ACE |
None |
Write Property |
msExchServerSite msExchEdgeSyncCredential |
|
Exchange Servers |
Allow ACE |
All |
Store Transport Access Store Constrained Delegation Store Read Only Access Store Read and Write Access |
|
Extended right |
Authenticated Users |
Allow ACE |
None |
Read Properties |
|
ACE is defined in schema for msExchExchangeServer class objects defaultSecurityDescriptor |
Clustered Mailbox Server Computer Account
If you install a clustered mailbox server, the permissions in the following permissions table are set on the clustered mailbox server computer account within the domain partition.
Distinguished name of the object: CN=<server>,CN=Computers,DC=<domain> or CN=<server>,OU=<organizational unit>,DC=<domain>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Cluster Service Account |
Allow ACE |
None |
Read Control Access |
|
|
Cluster Service Account |
Allow ACE |
None |
Write Property |
Logon Information |
|
Cluster Service Account |
Allow ACE |
None |
Write Property |
Description |
|
Cluster Service Account |
Allow ACE |
None |
Write Property |
sAMAccountName |
|
Cluster Service Account |
Allow ACE |
None |
Write Property |
Account Restrictions |
|
Cluster Service Account |
Allow ACE |
None |
Validated write to DNS host name |
|
|
Cluster Service Account |
Allow ACE |
None |
Validated write to service principal name |
|
|
Edge Transport
If you install an Edge Transport server and establish an Edge Subscription with the Exchange organization, the permissions in the following permissions table are set when the Edge Transport server is instantiated into the organization.
Distinguished name of the object: CN=<server>,CN=Servers,CN=<admin group>,CN=Administrative Groups,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Servers |
Allow ACE |
All |
Write Property |
|
|
Authenticated Users |
Allow ACE |
None |
Read Properties |
|
ACE is defined in schema for msExchExchangeServer class objects defaultSecurityDescriptor |
Client Access Server Installation
During installation of the first Client Access server, the following container is created. The following permissions table shows the permissions that are applied.
Distinguished name of the object: CN=Availability Configuration,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Servers |
Allow ACE |
Desc |
Read Property |
msExchAvailabilityUserPassword / msExchAvailabilityAddressSpaceObjects |
Extended right |
Hub Transport Server Installation
During installation of each Hub transport server, the following permissions are set.
Distinguished name of the object: CN=Default <Server>,CN=SMTP Receive Connectors,CN=Protocols,CN=<Server>,CN=Servers,CN=<admin group>,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
ExchangeLegacyInterop |
Deny ACE |
All |
Accept Forest Headers |
|
|
ExchangeLegacyInterop |
Deny ACE |
All |
Accept Organization Headers |
|
|
Exchange Servers |
Allow ACE |
All |
Accept Any Sender |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Accept Any Sender |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept Any Sender |
|
This is the well known security identifier (SID) for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept Any Sender |
|
This is the well known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Accept Any Sender |
|
This is the well known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Accept EXCH50 |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Accept EXCH50 |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept EXCH50 |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept EXCH50 |
|
This is the well known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Accept EXCH50 |
|
This is the well known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Submit Messages to any Recipient |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Submit Messages to any Recipient |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Submit Messages to any Recipient |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Submit Messages to any Recipient |
|
This is the well known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Submit Messages to any Recipient |
|
This is the well known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Accept Routing Headers |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Accept Routing Headers |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept Routing Headers |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept Routing Headers |
|
This is the well known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Accept Routing Headers |
|
This is the well known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Accept Forest Headers |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept Forest Headers |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept Forest Headers |
|
This is the well known SID for Edge Transport servers. |
Exchange Servers |
Allow ACE |
All |
Accept Authentication Flag |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Accept Authentication Flag |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept Authentication Flag |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept Authentication Flag |
|
This is the well known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Accept Authentication Flag |
|
This is the well known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Bypass Anti-Spam |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Bypass Anti-Spam |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Bypass Anti-Spam |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Bypass Anti-Spam |
|
This is the well known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Bypass Anti-Spam |
|
This is the well known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Bypass Message Size Limit |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Bypass Message Size Limit |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Bypass Message Size Limit |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Bypass Message Size Limit |
|
This is the well known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Bypass Message Size Limit |
|
This is the well known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Accept Organization Headers |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept Organization Headers |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept Organization Headers |
This is the well known SID for Edge Transport servers. |
|
Exchange Servers |
Allow ACE |
All |
Submit Messages to Server |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Submit Messages to Server |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Submit Messages to Server |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Submit Messages to Server |
|
This is the well known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Submit Messages to Server |
|
This is the well known SID for externally secured servers. |
Exchange Servers |
Allow ACE |
All |
Accept Authoritative Domain Sender |
|
|
ExchangeLegacyInterop |
Allow ACE |
All |
Accept Authoritative Domain Sender |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Accept Authoritative Domain Sender |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Accept Authoritative Domain Sender |
|
This is the well known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Accept Authoritative Domain Sender |
|
This is the well known SID for externally secured servers. |
Authenticated Users |
Allow ACE |
All |
Submit Messages to any Recipient |
|
|
Authenticated Users |
Allow ACE |
All |
Accept Routing Headers |
|
|
Authenticated Users |
Allow ACE |
All |
Bypass Anti-Spam |
|
|
Authenticated Users |
Allow ACE |
All |
Submit Messages to Server |
|
|
Distinguished name of the object: CN=Client <Server>,CN=SMTP Receive Connectors,CN=Protocols,CN=<Server>,CN=Servers,CN=<admin group>,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Authenticated Users |
Allow ACE |
All |
Submit Messages to any Recipient |
|
|
Authenticated Users |
Allow ACE |
All |
Accept Routing Headers |
|
|
Authenticated Users |
Allow ACE |
All |
Bypass Anti-Spam |
|
|
Authenticated Users |
Allow ACE |
All |
Submit Messages to Server |
|
|
SMTP Send Connector Creation
The following table shows the permissions that are set when you create Send connectors.
Distinguished name of the object: CN=<Connector Name>,CN=Connections,CN=<routing group>,CN=Routing Groups, CN=<admin group>,CN=<organization>
Account | ACE type | Inheritance | Permissions | On property/ Applies to | Comments |
---|---|---|---|---|---|
Exchange Servers |
Allow ACE |
All |
Send Organization Headers |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Send Organization Headers |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Send Organization Headers |
|
This is the well known SID for Edge Transport servers. |
Exchange Servers |
Allow ACE |
All |
Send Forest Headers |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Send Forest Headers |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Send Forest Headers |
|
This is the well known SID for Edge Transport servers. |
Exchange Servers |
Allow ACE |
All |
Send Routing Headers |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-10 |
Allow ACE |
All |
Send Routing Headers |
|
This is the well known SID for partner servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Send Routing Headers |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Send Routing Headers |
|
This is the well known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Send Routing Headers |
|
This is the well known SID for externally secured servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-24 |
Allow ACE |
All |
Send Routing Headers |
|
This is the well known SID for Legacy Exchange servers. |
ANONYMOUS LOGON |
Allow ACE |
All |
Send Routing Headers |
|
|
Exchange Servers |
Allow ACE |
All |
Send Exch50 |
|
|
S-1-9-1419165041-1139599005-3936102811-1022490595-21 |
Allow ACE |
All |
Send Exch50 |
|
This is the well known SID for Hub Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-22 |
Allow ACE |
All |
Send Exch50 |
|
This is the well known SID for Edge Transport servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-23 |
Allow ACE |
All |
Send Exch50 |
|
This is the well known SID for externally secured servers. |
S-1-9-1419165041-1139599005-3936102811-1022490595-24 |
Allow ACE |
All |
Send Exch50 |
|
This is the well known SID for Legacy Exchange servers. |