Professional Documents
Culture Documents
Microsoft Corporation
Abstract
This guide discusses the necessary minimum rights needed for Exchange administrators to
manage Exchange-related data in Active Directory as it pertains to user, inetOrgPerson,
group, and contact objects so that separation of administrative tasks can be implemented.
Contents...................................................................................................................................3
Introduction to the Working with Active Directory Permissions in Exchange Server 2003........7
What Will You Learn from This Guide?..................................................................................8
Who Should Read this Guide?..............................................................................................8
Exchange Administrator..........................................................................................................12
How to Change the Password for the Active Directory Connector Service Account...............19
Before You Begin................................................................................................................19
Procedure............................................................................................................................19
How to Use ADSI Edit to Add Full Control Permissions to the Exchange Computer Account. 32
Before You Begin................................................................................................................32
Procedure............................................................................................................................32
For More Information...........................................................................................................33
Access Control.......................................................................................................................40
General Questions..................................................................................................................81
User-Related Tasks................................................................................................................95
Moving Mailboxes...................................................................................................................97
Mixed Mode Move Mailbox Permissions.............................................................................97
Permissions for Native Mode Mailbox Move Operations.....................................................99
Copyright..............................................................................................................................130
7
Note:
The downloadable version of this guide includes the following additional files: DSACL
Snippets. Download Working with Active Directory Permissions in Microsoft
Exchange Server 2003 to print or read offline.
In many organizations, there are separate administrators for Exchange and Active Directory,
which means that there is a need to delegate administrative functions, so that distinct
boundaries of administrative rights are maintained. This is known as a split permissions
model. In this type of model, operations are decentralized in that two or more operation teams
manage aspects of Exchange and Active Directory. For example, one operations team might
manage domain and forest functions (creating DNS zones, establishing new domains, and
creating user accounts), while another operations team manages Exchange-related functions
(installing Exchange servers, mailbox management, and e-mail routing). In these situations,
certain rights must be delegated to all parties so that they may complete their prescribed job
functions without compromising the operational and security boundaries.
Organizations that implement a split permissions model typically want to restrict permissions
granted to administrative personnel to the extent possible, thereby ensuring accountability
and increasing security.
8
While the majority of this guide focuses on understanding and configuring a split permissions
model, several other permission-related topics are also covered, including:
• Frequently asked questions (FAQ) regarding the "how" and "why" of permissions
around the Active Directory Connector, Exchange Server 2003 deployment, and
Exchange Server 2003 management.
• How to set permissions on Active Directory objects and classes at the domain and
organizational unit levels.
• How does Active Directory store and manage permissions for Exchange user and
configuration data?
• What permissions are set by the Exchange Administration Delegation Wizard, and
what are "effective" rights or permissions?
• What tools are available to modify Exchange permissions in Active Directory, and
how do I use them?
Because all organizations are different and determining Active Directory permissions is so
flexible, it is not possible to recommend a permissions strategy that works for all
organizations. Therefore, this guide is not prescriptive; it does not provide suggestions
around a permissions model. Use the information presented in this guide to implement the
appropriate permissions model for your organization.
In Active Directory, data storage is partitioned into three logical segments called naming
contexts. Each naming context replicates its changes separately among those domain
controllers in the forest that store copies (replicas) of the same naming contexts:
You can view these naming contexts and their contents with the ADSI Edit MMC snap-in. The
ADSI Edit MMC snap-in is installed with the Windows Support Tools. You can launch the
Windows Support Tools Setup by double-clicking the Suptools.msi file in the \Support\Tools
directory on the Windows Server™ 2003 CD.
The schema naming context root object contains one child object for each class of objects
that can be instantiated in the Active Directory forest and contains one object for each
attribute that can be part of an object in the Active Directory forest.
Exchange 2000 Server and Exchange Server 2003 extend the schema so that Exchange
objects (for example, mail-enabled recipients, Exchange databases) can be instantiated in
10
the organization. There are no Exchange-related permissions required to extend the schema;
this function is reserved for the Schema Administrators in the forest.
Exchange 2000 Server and Exchange Server 2003 store their configuration within this
naming context, specifically within cn=Microsoft
Exchange,cn=Services,cn=Configuration,dc=<root domain>. Data stored by Exchange within
the Configuration naming context is protected from unauthorized access by the security
permissions configured within the Exchange System Manager using the Exchange
Delegation Wizard.
Important:
Enterprise Administrators and root domain Domain Administrators can perform
Exchange-related functions without being granted rights using the Exchange
Delegation Wizard. Although these administrators do not have Full Control, they do
have many rights. The only permissions that they do not have are Full Control, Delete
Children, Delete Tree, and No Special Permissions. So, for example, Domain
Administrators from the root domain and Enterprise Administrators can dismount and
mount Exchange stores.
For Exchange 2000 Server and Exchange Server 2003, the domain naming context is where
mail-enabled recipients are stored. To manipulate mail-enabled recipients, permissions may
be required both on the object and within the Exchange organization.
Enterprise administrators may want to have more granular details on the exact changes that
the Delegation Wizard makes to Active Directory. This chapter explains those changes.
By using the Exchange Administration Delegation Wizard, permissions are applied at the
Microsoft® Exchange container level in the Active Directory configuration naming context and
inherited throughout the organization. These permissions do not grant any access to objects
stored within the domain naming contexts of the forest (that is, where user, group, and
contact objects are stored), allowing for higher levels of security and separation.
Organization Rights:
• Full Control permissions on the MsExchConfiguration container (this object and its
subcontainers).
• Read permissions and Change permissions on the Deleted Objects container in the
Configuration naming context (Config NC) (this object and its subcontainers).
• Read, List object, and List contents permissions on the Organization container (this
object and its subcontainers).
• Full Control, Deny Send-As, and Deny Receive-As permissions on the Administrator
Groups container (this object and its subcontainers).
• Full Control permissions (except for Change) on the Connections container (this
object and its sub-containers).
• Read, List object, List contents, and Write properties permissions on the Offline
Address Lists container (this object and its subcontainers).
Exchange Administrator
When you assign a user or a group Exchange Administrator permissions, the user or the
group can fully administer Exchange Server computer information. A user who has Exchange
Administrator permissions has the following rights:
Organization Rights:
• Read, List object, and List contents permissions on the Organization container (this
object and its subcontainers).
• All permissions (except for Change, Deny Send-As, and Deny Receive-As
permissions) on the Administrator Group container (this object and its sub-containers).
• All permissions (except for Change permissions) on the Connections container (this
object and its subcontainers).
• Read, List object, List contents, and Write properties permissions on the Offline
Address Lists container (this object and its subcontainers).
13
Organization Rights:
• View Information Store Status permissions on the Organization container (this object
and its sub-containers).
Administrative Group Rights:
• Read, List object, and List contents permissions on the Organization container (this
object only).
• Read, List object, and List contents permissions on the Administrator Groups
container (this object only).
• Read, List object, List contents, and View Information Store Status permissions on
the Administrator Groups container (this object and its sub-containers).
• Exchange View Only Administrator includes Exchange View Only Administrator at the
administrative group level.
• Exchange Full Administrator includes all other permissions at both the organization
and administrative group levels.
The following table provides a summary of the effective permissions versus the granted
permissions.
Granted AG: View AG: Admin AG: Full ORG: ORG: ORG: Full
Permissio Admin View Admin Admin
ns
Granted AG: View AG: Admin AG: Full ORG: ORG: ORG: Full
Permissio Admin View Admin Admin
ns
Many answers in this section describe specific permission changes that you can make to
allow or disable access. If you are not familiar with the tools you can use to make permission
changes, see Implementing a Split Permissions Model.
To install the first Active Directory Connector (ADC), you must update the schema of
Active Directory and copy the binary files to the local computer. Therefore, you must be
logged on as a user with the following permissions:
• Schema Admins
• Enterprise Admins
As an alternative, an administrator in the Schema Admins group can use the /SchemaOnly
command-line switch with Active Directory Connector Setup to extend the Active Directory
schema. In this scenario, the person who actually installs the ADC service does not need to
be a member of the Schema Admins group. An advantage to this method is that, if a company
has very strict control over the schema, personnel who have the responsibility of monitoring
the schema can make the schema adjustments required, and the ADC/Exchange
administrator can perform his or her job independently.
It is recommended that you follow the best practices defined in the Exchange Server 2003
Deployment Guide when deploying the ADC Service. The best practice recommendation is to
run ForestPrep, run DomainPrep, and then install the ADC service.
Because the schema has already been updated, you need the following Active Directory
permissions to install additional connectors:
• Domain Administrator
The ADC setup program has a hard-coded prerequisite where you must belong to the
Domain Admins group in Active Directory. You must belong to this group even if you only want
to install the ADC Management snap-ins on a computer.
When installing the Active Directory Connector service, I need to enter a service
account. Why is this required when Exchange services start as LocalSystem? What
permissions will the service account require?
The ADC requires a service account because a subset of the ADC technology is shipped with
the Windows Server operating system. Exchange has features to prepare the Active Directory
forest and domains for installation of the server (with the use of ForestPrep and
DomainPrep). Part of this preparation involves setting permissions for LocalSystem services
to Active Directory. Because the ADC can be used without Microsoft Exchange 2000 Server
or Exchange Server 2003 installed, a separate service account is used to achieve the same
functionality.
• Member of the local Administrators group on the target ADC server (to write local
security authority, or LSA, Global Secrets).
• Member of the Enterprise Admins group if the ADC is used in a Windows 2000 or
Windows Server 2003–based environment without Exchange 2000 Server or
Exchange Server 2003.
• Either a member of the Enterprise Admins group or the role of Exchange Full
Administrator at the Organization level if the ADC is used with Exchange 2000 Server or
Exchange Server 2003 and not just Windows 2000 or Windows Server 2003.
For more information about how the ADC writes to LSA Global Secrets, see Microsoft
Knowledge Base article 253830, "XADM: How the Active Directory Connector Stores
Passwords."
The ADC service account requires permissions to modify the Exchange configuration
information in the Active Directory database because configuration connection agreements
(CCAs) do not have credentials set on them by default. Therefore, the ADC must assume that
the service account has all the necessary permissions to make the Active Directory changes.
If you are going to deploy Exchange Server 2003 by joining an existing Exchange Server
version 5.5 organization, you may install the ADC first. If you want, you can put the ADC
service account into the Enterprise Admins group for the initial installation, and subsequently
delegate the correct Exchange role after the first server running Exchange Server 2003 has
been installed. You can then remove the ADC service account from the Enterprise Admins
group.
As mentioned above, however, if you follow the best practices in the Exchange Server 2003
Deployment Guide, you can grant the ADC service account Exchange Full Admin permissions
by means of the Exchange System Manager Administration Delegation Wizard.
On member servers, ADC configures the ADC service account to have the following user
rights in the member server’s local security policy:
• Log on as a Service
If ADC is installed on a server running Active Directory, then these user rights are configured
on the Default Domain Controller group policy.
Note:
If you have implemented other policies on your domain controller organizational units,
you must add these rights to the highest applicable policy.
18
Is it possible to change the password for the ADC service account after installation?
Yes. To change the password, see "How to Change the Password for the Active Directory
Connector Service Account."
The above permissions can be manually granted using the ADSI Edit (AdsiEdit.msc) MMC
snap-in. If you do not want to manually grant permissions, either of the following user roles
can be used to manage the ADC:
• Active Directory
• Account Operator (of the local domain) if there are any Exchange Server 5.5
distribution lists with hidden membership. For more information about hidden
membership, see Microsoft Knowledge Base article 321205 "XADM: Hidden Group
Membership Does Not Replicate to Exchange Server 5.5."
19
Procedure
To change the password for the ADC service account
1. Change the password for the ADC service account using the Active Directory
Users and Computers snap-in.
2. Wait a few minutes for the new password to replicate through Active Directory.
4. If the ADC service account is being used on any connection agreements, use the
Active Directory Connector MMC snap-in to locate any one of these agreements
and re-type the password on the Connections tab. It is only necessary to change the
password on one connection agreement because the password is stored in the LSA
Global Secrets database.
5. Restart the ADC service, and monitor the event log to make sure that replication
is occurring successfully.
20
What permissions do I need to run ForestPrep for Exchange Server 2003 Setup?
ForestPrep updates the Active Directory® directory service schema and creates the
Exchange organization object. Additionally, you will be able to specify the first Exchange
Server 2003 administrator account. This account can be a user or group object. For simplicity,
it is recommended that you use a group object. You will need to be logged on as a user who
has the following permissions:
• Schema Admins
• Enterprise Admins
ForestPrep must be run in the domain that contains the Active Directory schema master. By
default, this domain is the root domain in the forest. You do not necessarily have to run
ForestPrep on the schema master; any Windows® 2000 or Windows Server™ 2003
computer in the domain is satisfactory. That said, it is a best practice to run ForestPrep on the
schema master so that network interruptions and latency do not affect the schema update.
After you run Exchange Server 2003 ForestPrep, some third-party applications may log error
events because of a permissions error when you access mailboxes.
It is likely that these applications rely on gaining access to mailboxes through membership of
the Exchange Domain Servers group. However, on each Exchange Server 2003 ForestPrep
and server installation, a 'Deny ACE' is now placed on this group on the 'Servers' container.
This change was made to decrease a potential point of access for attack and to help increase
the overall security of the messaging system.
To continue to allow your applications to access mailbox data, create a group and place the
application's service accounts within this group. Grant this group "Send As" and "Receive As"
permissions on the appropriate Exchange configuration container such as the Organization
object. To help enhance security additionally, configure permissions on only those mailbox
stores to which the application requires access.
• Creates within the domain's Users container 'Exchange Enterprise Servers' domain
local group.
21
• This group will contain each domain's 'Exchange Domain Servers' group that has
a Recipient Update Service.
• Creates within the domain's Users container 'Exchange Domain Servers' global
group.
• This group will contain all the Exchange 2000 Server and Exchange Server 2003
servers within the domain.
• Creates the 'Microsoft Exchange System Objects' container at the root of the domain.
• This container is used to store public folder proxy objects and Exchange-related
system objects (for example, the mailbox store's mailbox).
• Assigns specific permissions on this folder. For more information about the
specific permissions granted, see "Permissions Granted During Exchange Setup."
• Assigns permissions at the domain level for the 'Exchange Enterprise Servers' group.
For more information about the specific permissions granted, see "Permissions Granted
During Exchange Setup."
• Assigns the 'Exchange Enterprise Servers' group the user right 'Manage Auditing &
Security Logs' on the Default Domain Controller Policy (Group Policy object on the
Domain Controllers organizational unit).
DomainPrep allows Active Directory domain administrators to prepare their domains for
Exchange 2000 Server or Exchange Server 2003 users and/or servers. You should run
DomainPrep in each domain that will contain:
• mail-enabled objects
• global catalog servers that Exchange Directory Access components could potentially
use.
Additionally, you must also run DomainPrep on the root domain in the forest to ensure that
Public Folder proxy objects are created successfully.
DomainPrep will create an Exchange Domain Servers global security group, an Exchange
Enterprise Servers local security group, and configure the permissions so that the Exchange
server can access the Active Directory database. To run DomainPrep, you must be logged on
as a user who is a member of the Domain Admin group in the domain where DomainPrep is
to be run.
I have noticed that DomainPrep changes the domain controller policy. The Exchange
Enterprise Servers group is granted the permission to 'Manage the auditing and
security logs'. Why is this required?
For the store process to support mailbox auditing, this permission is required because it
allows the Exchange server to read System Access Control Lists (SACLs) within the domain.
If this permission is removed, Exchange server databases will not mount. This is the only
adjustment that DomainPrep makes to the domain controller policy. This policy is replicated to
other domain controllers through a combination of Active Directory replication and the File
Replication service. You can use the policytest.exe tool, which is provided in the
Support\ExDeploy folder on the Exchange Server 2003 media, to check the replication state
of the adjusted policy.
Note:
If you have implemented other policies on your domain controller organizational units,
you must add this right to the highest applicable policy.
What function do the Exchange Domain Servers and Exchange Enterprise Servers
groups perform?
Both these groups are created through DomainPrep. They reside in the Users container in
the domain and must not be moved or renamed (otherwise, computers that are running
Exchange 2000 Server or Exchange Server 2003 in the domain will shut down). Every time
Exchange is installed on a computer, the computer account is added to the local Exchange
Domain Servers global security group. In turn, this group is a member of the Exchange
Enterprise Servers local security group in each domain. The Recipient Update Service is
responsible for making sure that all Exchange group nestings are complete in the forest. The
Exchange Enterprise Servers group is given various permissions on the domain naming
23
context in Active Directory. Through these inherited permissions, the Recipient Update
Service can modify Exchange-specific attributes on user accounts in each domain.
Why does the Pre-Windows 2000 Compatible Access group contain the Exchange
Domain Servers group?
In the Exchange security model, every domain contains two groups: a domain global group
named Exchange Domain Servers and a domain local group named Exchange Enterprise
Servers. The Exchange Domain Servers group contains all the Exchange servers in that
domain. The Exchange Enterprise Servers group contains the Exchange Domain Servers
groups from all domains in the forest in which you have run DomainPrep. DomainPrep grants
the Exchange Enterprise Servers group read and write permissions on a variety of mail-
related attributes on domain partition objects. After you run DomainPrep, all Exchange
servers should have these read and write permissions through the two levels of group
membership.
In Exchange 2000 Server, all Exchange servers do not always have the necessary read and
write permissions after you run DomainPrep. Specifically, if an Exchange server attempts to
read attributes on a domain partition mailbox-enabled user object and is connected to a
global catalog server in a different domain than that in which the user resides, the Exchange
Enterprise Servers group is not present in the Exchange server's security token; therefore,
the read and write permissions from the Exchange Enterprise Servers group do not take
effect. In this case, the Exchange server acts as an authenticated user.
This is not an issue when the domain is enabled with “Permissions compatible for pre-
Windows 2000 applications" because the Everyone security principal (and in Windows
Server™ 2003, the Anonymous Logon security principal) has read permissions against all
attributes on all objects in the domain. Therefore the Exchange server has access to the
necessary data.
To help protect against cases where the domain may not have been prepared for pre-
Windows 2000 applications, Exchange Server 2003 DomainPrep adds the Exchange Domain
Servers group to the BUILTIN\Pre-Windows 2000 Compatible Access group within the
domain. In addition, DomainPrep adds an access control entry to the Pre-Windows 2000
Compatible Access group to allow the Exchange Enterprise Servers group to modify the
membership of the Pre-Windows 2000 Compatible Access group.
DomainPrep only places access control entries (ACE) for the Exchange Enterprise Servers
group at the domain level; therefore, if you block inheritance, the Recipient Update Service
will not be able to process user objects. The result is that new users will not be able to log on
to Exchange, and policy modifications to existing users will not be applied.
Upon blocking inheritance, you have the option to either 'Remove' or 'Copy' the permissions
on the selected container/organizational unit. If you choose to 'Copy' the permissions, the
24
Recipient Update Service continues to process objects. If you choose to 'Remove' the
permissions, the Recipient Update Service is unable to function in that container.
If you want to set permissions manually on an organization unit so that the Recipient Update
Service can process objects, assign the Exchange Enterprise Servers group the following
permissions to all user objects in the organizational unit:
• List Contents
• Read Permissions
Additionally, the Exchange Enterprise Servers group must have the 'modify-permissions'
permission on group objects. This permission is necessary to support hidden group
membership.
All these permissions can be set using the ADSI Edit MMC snap-in. For more information
about setting permissions at the organizational unit level, see "Implementing a Split
Permissions Model."
When reviewing the Advanced Permissions tab on the domain object, I see that the
'Enterprise Exchange Servers' group appears multiple times. However, why do most of
the permissions appear blank?
The Enterprise Exchange Servers group requires permissions at the domain level so that
computers running Exchange 2000 Server can process new mail and mailbox-enabled users.
For example, when a new mailbox-enabled user is created, the Recipient Update Service
writes a set of e-mail addresses on the object and places the user in the correct address lists.
The Recipient Update Service runs as part of the Exchange System Attendant process on an
Exchange server. Because the computer object of the Exchange server is a member of the
Exchange Domain Servers group (which in turn is a member of the Exchange Enterprise
Servers group), the Recipient Update Service can successfully process updates on objects in
the domain.
The permissions may appear blank in the Active Directory Users and Computers snap-in
because the interface does not show all of the granular permissions that can be granted in
Active Directory. Therefore, the permissions have been granted, but they are not viewable
from the interface. To view all of the granular permissions, use the Dsalcs.exe tool as
described in "Implementing a Split Permissions Model."
Assuming that ForestPrep and DomainPrep have been run, to install the first Exchange
server, you must be logged on to Active Directory with the following permissions:
Additionally, if you are joining an existing Exchange Server 5.5 site, the logged-on account
must have the following permissions to access the Exchange Server 5.5 directory, and the
person installing Exchange must know the site services account name and password:
• Admin role on the Exchange Server 5.5 site naming context (for the Exchange site
you want to join)
• Admin role on the Exchange Server 5.5 configuration naming context (for the
Exchange site you want to join)
A two-way trust will be required between the domain where you are installing Exchange 2000
Server or Exchange Server 2003 and the domain where the server running
Exchange Server 5.5 exists.
There are two independent requirements that necessitate a two-way trust between the
Windows NT® domain and Active Directory. The trust from Active Directory to Windows NT is
necessary because the Exchange Server 2003 message transfer agent (MTA) and Site
Replication Service must use the Exchange Server 5.5 site service account, which exists in
the Windows NT domain. The second one-way trust, from Windows NT to Active Directory, is
required to provide appropriate rights for Exchange Server 2003 (the account specified when
you install into an Exchange Server 5.5 site) to read and write to the Exchange Server 5.5
organization, site, and configuration naming contexts.
To delegate permissions to other users, use the Exchange Delegation Wizard that is part of
the Exchange System Manager console.
You must be logged on as a user with the Exchange Full Administrator role to the
organization to use the Exchange Delegation Wizard. For this reason, and for performance
reasons, it is recommended that you delegate control to group objects instead of directly to
users. For example, you may want to create an Active Directory group called "Seattle
Exchange Admins". You can use the Exchange Delegation Wizard to allow members of this
group to administer the "Seattle" admin group. A domain administrator or equivalent can
change the membership of the group object to include the relevant administrator accounts.
No, the Exchange Administration Delegation Wizard assigns permissions in the configuration
naming context of Active Directory, not the domain naming context (which is where the
computer accounts reside). However, you will need to restart the System Attendant on the
Exchange server after the computer account object has been moved. For more information
about why you need to restart the Exchange server, see Microsoft Knowledge Base article
271335, "XADM: System Attendant Generates 9186 and 9187 Event ID Messages."
26
What is the difference between the Exchange Full Administrator and the Exchange
Administrator role?
• Exchange databases
• Address lists
An Exchange Administrator can manipulate any Exchange object, but does not have the
ability to delegate permissions or change the settings on the Security tab on the Exchange
objects listed above. However, an Exchange Administrator can change the permissions
(Security tab) on public folders.
Yes. Unlike Exchange Server 5.5, Exchange Server 2003 permissions are inherited.
What permissions do I need to install subsequent servers that are running Exchange
Server 2003 into my organization?
In Exchange 2000 Server, administrators must be assigned the Exchange Full Administrator
administrative role at the organization level to install and to remove Exchange 2000 Server, to
upgrade servers, and to perform disaster recovery on servers. This requirement changed in
Exchange Server 2003 to permit administrators who are assigned the Exchange Full
Administrator administrative role at the administrative group level to install and to remove
Exchange Server 2003, to upgrade servers, and to perform disaster recovery on servers that
are in that administrative group.
The following considerations apply when you install Exchange Server 2003 on servers as an
administrator who has Exchange Full Administrator permissions at the administrative group
level only:
• A domain administrator must manually add the computer account of the server to the
Exchange Domain Servers group.
If you are an administrator who is an Exchange Full Administrator in the administrative group,
and you run Exchange Server 2003 Setup on a server that is not clustered, only the
administrative groups that you have permissions to access appear. However, on a clustered
server, Exchange Server 2003 Setup displays all administrative groups. If you select an
administrative group that you do not have permissions to access, you receive an "Access
Denied" message.
If you are installing subsequent servers into a mixed Exchange 2000 Server or Exchange
Server 2003 and Exchange Server 5.5 site, a two-way trust is required between the domain
where you are installing Exchange 2000 Server or Exchange Server 2003 and the domain
where the server running Exchange Server 5.5 exists.
For an Exchange 2000 Server cluster administrator to create, delete, or modify an Exchange
Virtual Server, the cluster administrator's account and the Cluster service account require the
following permissions:
• If the Exchange Virtual Server is the first Exchange Virtual Server in the Exchange
organization, the cluster administrator's account and the Cluster service account must
each be a member of a group that has the Exchange Full Administrator role applied at the
organization level.
• If the Exchange Virtual Server is not the first Exchange Virtual Server in the
organization, the cluster administrator's account and the Cluster service account must
each be a member of a group that has the Exchange Full Administrator role applied at the
administrative group level.
In Exchange Server 2003, the permissions model has changed. The Windows Cluster service
account no longer requires Exchange-specific permissions. Specifically, the Windows Cluster
service account no longer requires that the Exchange Full Administrator role be applied to it,
neither at the Exchange organization level nor at the administrative group level. Its default
permissions in the forest are sufficient for it to function in Exchange Server 2003.
As with Exchange 2000 Server, the cluster administrator requires the following permissions:
28
• If the Exchange Virtual Server is the first Exchange Virtual Server in the organization,
the cluster administrator must be a member of a group that has the Exchange Full
Administrator role applied at the organization level.
• If the Exchange Virtual Server is not the first Exchange Virtual Server in the
organization, you must use an account that is a member of a group that has the
Exchange Full Administrator role applied at the administrative group level.
However, depending on the mode in which your Exchange organization is running (native
mode or mixed mode), and depending on your topology configuration, your cluster
administrators must have the following additional permissions:
• When your Exchange organization is in native mode, if the Exchange Virtual Server
is in a routing group that spans multiple administrative groups, the cluster administrator
must be a member of a group that has the Exchange Full Administrator role applied at all
the administrative group levels that the routing group spans. For example, if the
Exchange Virtual Server is in a routing group that spans the First Administrative Group
and Second Administrative Group, the cluster administrator must use an account that is a
member of a group that has the Exchange Full Administrator role applied at First
Administrative Group and must also be a member of a group that has the Exchange Full
Administrator role applied at Second Administrative Group.
Note:
Routing groups in Exchange native-mode organizations can span multiple
administrative groups. Routing groups in Exchange mixed-mode organizations
cannot span multiple administrative groups.
• In topologies such as parent/child domains where the cluster server is the first
Exchange server in the child domain, the cluster administrator must be a member of a
group that has the Exchange Administrator role or greater applied at the organization
level to be able to specify the server responsible for Recipient Update Service in the child
domain.
What permissions do I need to install service packs for Exchange Server 2003?
Service packs for Exchange must be installed after Exchange Server 2003. There is no
integrated setup of Exchange that includes service packs. You need the following permissions
to apply service packs:
• Member of the local Administrators group on the target Exchange Server 2003
server.
Important:
Starting with Exchange Server 2003 Service Pack 2 (SP2), you will need the
Exchange Administrator role at the organization to upgrade the first server to the
29
latest service pack. This is so that setup can create the UCE Content Filter container
in the Exchange organization container within the Configuration partition. After the
first server is upgraded and this container gets created, you will only need the
Exchange Administrator role on the destination administrative group to upgrade
additional servers.
I have a third-party messaging application that requires full access to each user's
mailbox. With Exchange Server 5.5, we grant a special account the 'Service Account
Admin' permissions, and then tell the application to use this account. How can I
achieve similar functionality in Exchange Server 2003?
Exchange Server 2003 security works differently from that of Exchange Server 5.5. In fact,
Exchange Server 2003 does not use a site service account; instead, all services start as the
local computer account.
The recommended methods of achieving the effect that you want are described in the
following Microsoft Knowledge Base articles:
Note:
If you are running Exchange 2000 Server, and the EDSLock script has been used to
secure access to Exchange mailboxes, members of the "Exchange Domain Servers"
group will not have permissions to open mailboxes on remote Exchange servers.
Active Directory includes a base set of permissions that can be applied against objects within
the directory. In particular, Active Directory includes the Send As extended permission. By
default, the Administrators group, the Domain Admins group, the Enterprise Admins group,
and the Account Operators group have Send As permissions for all users. The Administrators
group permissions and the Enterprise Admins group permissions are inherited from the
domain level. The Account Operators group and the Domain Admins group receive explicit
permissions that are based on the definition of the user object that is in the Active Directory
schema.
You may consider implementing a Deny "Send As" access control entry (ACE) against
administrators for user objects in the domain. If you decide to implement a Deny "Send As"
ACE against administrators for user objects in the domain, consider the following:
• An explicit Allow ACE will override an inherited Deny (in other words, explicit ACEs
are applied before inherited ACEs).
30
• Members of the Domain Admins group are able to remove the Deny ACE and/or add
an explicit Allow ACE.
• The addition of a Deny ACE may have additional consequences in your environment.
For more information, see Where to Apply Permissions.
If implementing a Deny "Send As" ACE against administrators for user objects in the domain
puts your messaging environment at risk, you should implement one or more of the following:
• Limit the number of domain administrators in the domain by delegating specific tasks.
For more information, see “Best Practices for Delegating Active Directory Administration”
(http://go.microsoft.com/fwlink/?LinkId=31309).
• Use auditing to monitor the account logon events for those accounts that are
members of the Domain Admins group.
Why do members of the Enterprise Admins group and root Domain Admins group have
full control in the Exchange organization?
In Exchange 2000 Server and later versions, data about the Exchange organization is not
stored in a separate directory. Exchange stores organizational data in Active Directory in the
Configuration naming context. The forest administrators (members of either Enterprise
Admins group or root Domain Admins group) control all aspects of the directory, and, in
essence, own the data stored in the directory. Forest administrators must control the directory
because a single configuration change could adversely affect the entire forest. The
Configuration naming context, and, by inheritance, the Exchange organization stored within
the Configuration naming context, have the following permissions:
• Root Domain Admins – Read, Write, Create All Child Objects, Special Permissions
In addition to the inherited permissions, Exchange Setup adds a Deny ACE for “Send As” and
“Receive As” against the Enterprise Admins group and root Domain Admins group; this
prevents those administrators from accessing and spoofing mailboxes within the forest. For
more information, see Permissions Granted During Exchange Setup.
You cannot remove inheritance from the Exchange organization node within the configuration
naming context. If the messaging administrators do not trust the forest administrators, the
messaging team should consider isolating Exchange within its own forest. For more
information about deployment options, see the Exchange Server 2003 Deployment Guide
(http://go.microsoft.com/fwlink/?LinkId=47569).
If you cannot put the Exchange organization in a separate forest, it is recommended that you
perform one or more of the following tasks:
• Limit the number of enterprise administrators and domain administrators in the root
domain by delegating specific tasks. For more information, see “Best Practices for
Delegating Active Directory Administration” (http://go.microsoft.com/fwlink/?
LinkId=31309).
31
• Use auditing to monitor the account logon events for those accounts that are
members of any privileged groups, including the Enterprise Admins group and the root
Domain Admins group.
Why is there a special service account in Exchange Server 5.5, when Exchange
Server 2003 services can start as the LocalSystem (built-in computer account)?
Exchange Server 5.5 required a special logon account for its services because of a limitation
with Windows NT Server 4.0. Although local computer accounts in Windows NT 4.0 had
tokens, they did not have credentials; therefore, one computer account could not authenticate
to another. Kerberos authentication is used in Windows 2000 or Windows Server 2003, and
computer accounts have both tokens and credentials.
It is more secure to use the local computer account than an administrator-specified account
for the following reasons:
• The Exchange Server 5.5 service account has to be excluded from lockout policies
because a brute-force attempt to log on could disable the account and shut down the
Exchange services.
The computer account for my Exchange Server 2003 server was accidentally deleted
from Active Directory. Although I can re-create it, will the Exchange Server 2003
services work correctly?
If you just re-add the computer account, the Exchange services will start, although you might
encounter some issues such as DSAccess errors in the event log. The computer account is
assigned various permissions in Active Directory during Exchange Server 2003 Setup.
Therefore, run Exchange Server 2003 Setup again and select the Reinstall option; the correct
permissions will be granted for your new computer account.
Alternatively, you can grant the computer account the appropriate permissions with ADSI Edit
as specified in Microsoft Knowledge Base article 297295, "The Computer Account for
Exchange Server Is Absent."
After you have re-created the computer account, you can grant the new account necessary
permissions. To assign the appropriate permissions to the Exchange computer account, see
"How to Use ADSI Edit to Add Full Control Permissions to the Exchange Computer Account."
32
After you create the computer account, you can grant the new account the required
permissions.
Caution:
If you use the ADSI Edit snap-in and you incorrectly modify the attributes of Active
Directory objects, you can cause serious problems. These problems may require that
you to reinstall Microsoft Windows Server™ 2003, Microsoft Exchange Server 2003,
or both. Serious problems may occur if you incorrectly modify Active Directory object
attributes. Modify these attributes at your own risk.
Procedure
To use ADSI Edit to add Full Control permissions to the Exchange computer
account
1. Start ADSI Edit, and then browse to the following location:
Domain.com/Configuration/Services/Microsoft Exchange/Org/Administrative
Groups/AdminGroup/Servers/Server Name
5. Click Add, and then verify that the account is added to the Permissions window
with full control.
33
You should also examine the local Exchange Domain Servers group within the domain to
make sure that your new computer account is a member. The System Attendant will try to add
the computer account to this group when it starts; however, if this process is unsuccessful,
you will have to add the account manually by using the Active Directory Users and Computers
snap-in.
For more information about working with ADSI Edit, see the topic "Adsiedit.msc: ADSI Edit" in
the Windows Server Help.
If you are responsible for both user and mailbox management, you need to have permissions
to create a user object in Active Directory. For example, you could be a Domain Admin,
Account Operator, or you might have delegated access to a specific organization unit. In
addition, you need the following Exchange permission:
• The Exchange View Only Administrator role to the administrative group where the
target Exchange Server 2003 server exists.
If you are responsible for mailbox-enabling users post-account creation, you can use a
reduced set of permissions (in addition to the Exchange View Only Administrator).
Additionally, if you manage public folder objects, it is recommended that the administration
account (that is, the account that you log on as when you manipulate objects in the Exchange
System Manager) is mail-enabled or mailbox-enabled. In some cases, odd behavior in the
permissioning user interface, as well as display name resolution errors may occur if the
account administering public folder objects is not mailbox or mail-enabled.
For more information, see "Other Problems" under the topic "Troubleshooting and Repairing
Exchange Server 2003 Store Problems" in Working with Exchange Server 2003 Stores
(http://go.microsoft.com/fwlink/?LinkId=47595).
34
• Administer Information Store right granted on the mailbox store where the mailbox
resides
• Write right granted on the mailbox store where the mailbox resides
For more information about modifying mailbox rights, see Microsoft Knowledge Base article
330475 "You need full mailbox access to change mailbox rights after you install
Exchange 2000 SP3." This behavior was changed in Service Pack 2 for Exchange 2000
Server. However, an issue arose in Service Pack 3; therefore, to fully administer mailbox
rights, you should install at least the Exchange 2000 Server Post-SP3 Rollup. For more
information about the Post-SP3 release, see Microsoft Knowledge Base article 836488, "April
2004 Exchange 2000 Server post-Service Pack 3 update rollup."
The move mailbox functionality accessible from the Active Directory Users and Computers
snap-in logs onto the source mailbox and moves the folders and messages to the destination
mailbox. You can move mailboxes between mailbox stores in the same storage group, across
different storage groups on the same server, between Exchange servers in the same
administration group, or between Exchange servers in different administrative groups
(Exchange Organization must be at Native Mode). You will need to have permissions on the
user object in Active Directory to modify its Exchange mailbox attributes; a user who is an
Account Operator will have these permissions. Additionally, you will require:
• Exchange Administrator role on the administrative group where the source and
destination server running Exchange Server 2003 exists.
Why does Exchange View Only Administrator require the right to create objects in the
global namespace for Exchange Server 2003 Service Pack 1?
When Service Pack 1 (SP1) for Exchange Server 2003 is running on Windows 2000 Server
SP4 (or later) or Windows Server 2003, Exchange System Manager creates objects in the
computer's global namespace. As a result, any administrator who is using Exchange System
Manager must have the Create Global Objects right (SE_CREATE_GLOBAL_NAME) on the
server. By default, local administrator accounts have this right. However, if the user's account
has Exchange View Only Administrator rights but does not have local administrator rights on
the computer, the user receives an error. This situation typically occurs when a user uses
35
Terminal Services to access Exchange System Manager on another server for which the user
is not a local administrator.
To avoid this error, you can either add the user to the local administrators group, or you can
grant the Create Global Objects right to the user. To grant this right, log on to the local
computer using an account that is a member of the Administrator's group, and then grant this
right to the user account in Local Security Settings.
The Create Global Objects right does not exist in Windows 2000 Server SP3 (or earlier) or
Windows XP. For these operating systems, no action is necessary.
What permissions do I need to be able to move a mailbox from Exchange Server 5.5 to
Exchange 2000 Server or Exchange Server 2003 in the same site or administrative
group?
When you use Active Directory Users and Computers, the mailbox is transferred between the
two servers, and then the current credentials are used to update the Home-MTA and Home-
MDB attributes on the user and mailbox object.
• Active Directory
• Either a member of the Domain Admins or the Account Operators group in the
local domain, or the appropriate attribute-level permissions.
To create a new administrative group, you need to be logged on to Active Directory as a user
with the following permission:
What permissions do I need to run the Active Directory Account Cleanup Wizard
(ADclean.exe)?
The administrator who uses ADclean.exe needs the following permissions in Active Directory:
ADclean.exe modifies almost all of the attributes on the target object; therefore, it is
recommended that the administrator who runs the tool be a member of the Domain Admins
group of the target domain.
What permissions do I need to be able to look at the Status node in the Exchange
System Manager and perform Message Tracking?
You need at least the Exchange View Only Administrator role to the Administrative Group(s)
where tracking will take place. In large, multi-Administrative Group installations, it is
recommended to give message tracking staff the Exchange View Only Administrator role at
the Organization level because a single message track may include servers from any
Administrative Group.
Be aware that in Exchange 2000 Server 'Everyone' has read permissions to the message
tracking log share on each Exchange server. If the administrator enables subject line logging,
user data may be exposed. However, in Exchange Server 2003, the permissions on the
message tracking log share have been restricted to the local Administrators group by default.
For an added layer of security, you should further restrict the message tracking log by
creating a security group of authorized personnel and allowing only that security group read
access to the logs.
If a user wants to perform message tracking on an Exchange server that is running Windows
Server 2003, but the user does not have administrative permissions, you must grant the
following WMI permissions to the account:
• Execute Methods
• Provider Write
• Enable Account
• Remote Enable
Note:
You must apply these permissions to each Exchange server where you want to track
a message.
For more information about how to grant WMI permissions to user accounts or groups that
will perform message tracking, see How to Grant WMI Permissions for Message Tracking.
When you configure routing groups and connectors, you are not directly affecting user
account objects; therefore, you only need the following permission:
• Exchange Administrator role to the administrative group where the new routing group
or connector will exist.
Note:
Routing group connectors are unidirectional. To create a bidirectional routing
group connector to a routing group that is outside of the local administrative
group, you also need to have Exchange Administrator permissions to the remote
administrative group.
If you need to define the global message formats for specific outbound domains or need to
specify global message thresholds, you need the following permission:
What permissions do I need to start and stop an Internet Protocol virtual server (for
example, Simple Mail Transfer Protocol)?
• If you are starting or stopping the service from Exchange System Manager, you need
Exchange Administrator role on the administrative group where the virtual server exists.
• For stand-alone Exchange Servers: If you are starting or stopping the service from
the Services MMC snap-in, you need to be a member of the local Administrators group
on the stand-alone Exchange server.
• For Exchange Virtual Servers: If you are starting or stopping the service from the
Cluster Administrator, you need to be a member of the local Administrators group (or
have been delegated permissions to the cluster) on the Exchange Virtual Server.
What permissions do I need to view the Current Sessions on an SMTP virtual server?
To view the current SMTP sessions you need the following permissions:
To view the message queues in the Exchange System Manager, you need the following
permissions:
• Exchange View Only Administrator role on the administrative group where the virtual
server exists
• Exchange View Only Administrator role on the administrative group where the routing
group for the virtual server exists.
To remove messages from queues, you need eitherof the following permissions:
38
• Exchange Administrator role on the administrative group where the virtual server
exists
• Exchange Administrator role on the administrative group where the server exists.
• Exchange Administrator role on the administrative group where the server or store
exists
Procedure
To grant WMI permissions for message tracking
1. On the Exchange server on which you will track messages, click Start, point to
All Programs, point to Administrative Tools, and then click Computer
Management.
6. Expand Root.
8. Click Add to add the user accounts or groups that will be responsible for
message tracking in the organization.
9. For each group or user name that will be responsible for message tracking in the
organization, select the Allow check box for the following permissions:
• Execute Methods
• Provider Write
• Enable Account
• Remote Enable
Note:
You must grant these permissions on each Exchange server on which you will track
messages.
This topic explains how you can configure permissions in Active Directory to correspond to
your administrative model. This granular level of permissioning is referred to as a split
permissions model. "Implementing a Split Permissions Model" describes the tools and
processes you need to understand to implement a split permissions model in your
organization.
"Split Permissions Model Reference" catalogues all of the Exchange attributes as they are
organized in the Active Directory Users and Computers Microsoft Management Console
(MMC) snap-in. Use this topic to help you identify the attributes and the appropriate
permissions you need to set on those attributes as you plan a split permissions model for
your organization.
40
Access Control
To manage Exchange related-attributes on objects within the domain naming contexts of the
forest, modify permissions must be granted to the Exchange Administrators group. This is
accomplished by modifying the security descriptor on the object containing the attributes.
A security descriptor contains two access control lists (ACLs). An ACL is a list of user or
security group objects that have access or are denied access to a resource or object. ACLs
allow granular permissions to be applied to the entire object, a set of the object's properties,
or to an individual property of an object. Two types of access control lists are within an
object's security descriptor:
• Discretionary access control lists (DACLs) DACLs identify the users and groups
that are assigned or denied access permissions on an object. If a DACL does not
explicitly identify a user, or any groups that a user is a member of, the user will be denied
access to that object. By default, a DACL is controlled by the owner of an object or the
person who created the object, and it contains access control entries that determine user
access to the object.
• System access control lists (SACLs) SACLs identify the users and groups that
you want to audit when they successfully access or fail to access an object. By default, a
SACL is controlled by the owner of an object or the person who created the object. A
SACL contains access control entries that determine whether to record a successful or
failed attempt by a user to access a object using a given permission, for example, Full
Control and Read.
An access control entry (ACE) is an entry in an object's DACL that grants permissions to a
user or group. An ACE is also an entry in an object's SACL that specifies the security events
that are to be audited for a user or group.
organizational unit structure that meets their business needs and allows for optimum
delegation of administrative privileges.
For more information about designing an organizational unit structure, see Best Practice
Active Directory Design for Managing Windows Networks and Best Practices for Delegating
Active Directory Administration.
When you design a delegation model, there are several possibilities for applying permissions;
however, this guide discusses only the following two methods:
On domain controllers that are running Microsoft Windows® 2000 Server, adding an
inheritable ACE at the domain level will cause the DACL to change for every object within the
domain. Depending on the number of ACEs added and the number of objects within the
domain, these changes could result in an "ACL bloat" (that is, unnecessary ACEs on objects
that increase the size of the ACL). An ACL bloat ultimately increases the physical size of the
NTDS.DIT file across all domain controllers within the domain.
On domain controllers that are running Windows Server™ 2003, a unique security descriptor
is stored only once rather than being stored for every object that inherits it. For every object
that inherits the security descriptor or otherwise stores an identical security descriptor, only a
pointer is stored. This change eliminates data redundancy and the database growth that can
result from changes to inheritable ACEs.
This method requires that all the managed objects be placed beneath a parent organizational
unit. Business requirements may prevent the organization from applying this methodology;
therefore, the permissions may need to be applied across multiple organizational units.
42
Note:
Incorrectly modifying the attributes of Active Directory objects by using ADSI Edit,
DSACLS, the LDP tool (ldp.exe), or any other LDAP (Lightweight Directory Access
Protocol) version 3 clients can cause serious problems. These problems may require
reinstallation of Windows Server, Exchange Server, or both. Problems that occur if
Active Directory object attributes are incorrectly modified may not be resolved. Modify
these attributes at your own risk.
Changing permissions in the domain naming context requires Domain Admin rights on the
object for which permissions are wanted.
Consider this example that shows how either one of the tools can be used to delegate certain
rights to Exchange Administrators. This example can be used as a sample for application of
delegated rights over users, contacts, and groups.
Exchange Administrators in the universal security group "ExAdminGroup" require the ability to
manage e-mail addresses, the display name, and to move mailboxes for all users located in
(and below) the organizational unit "UsersContainer" in the "company.com" domain. This
example assumes "ExAdminGroup" has "Exchange Administrator Role" in the source and
destination administrative groups. The examples show how to apply rights on the
UsersContainer by specifying read and/or write access on the following attributes within the
UsersContainer:
• displayName
• homeMDB
• homeMTA
• msExchHomeServerName
• msExchPoliciesExcluded
• targetAddress
• textEncodedORAddress
43
Note:
For more information about the DSACLS syntax, see "Split Permissions Model
Reference."
For more information about using DSACLS, see "How to Use DSACLS to Apply Permissions"
This topic serves as an example for using DSACLS. After application of the example in this
topic, the "ExAdminGroup" security group can manage e-mail addresses, display names, and
move mailboxes for all users contained in the "UsersContainer" organizational unit hierarchy.
Procedure
To use DSACLS for permissioning
1. Log on to a system within the forest that has the Windows Support Tools
installed using an account that can perform the actions (for example, Domain Admin).
"company\ExAdminGroup:RPWP;homeMDB;user"
"company\ExAdminGroup:RPWP;homeMTA;user"
"company\ExAdminGroup:RPWP;targetAddress;user"
"company\ExAdminGroup:RPWP;msExchHomeServerName;user"
"company\ExAdminGroup:WP;proxyAddresses;user"
"company\ExAdminGroup:WP;msExchPoliciesExcluded;user"
"company\ExAdminGroup:WP;mail;user"
"company\ExAdminGroup:WP;textEncodedORAddress;user"
"company\ExAdminGroup:WP;displayName;user"
For more information about using ADSI Edit, see "How to Use ADSI Edit to Apply
Permissions"
This topic serves as an example for using ADSI Edit. After application of the example in this
topic, the "ExAdminGroup" security group can manage e-mail addresses, display names, and
move mailboxes for all users contained in the "UsersContainer" organizational unit hierarchy.
may occur if you incorrectly modify Active Directory object attributes. Modify these attributes
at your own risk.
Procedure
To use ADSI Edit for permissioning
1. Open ADSI Edit, on the Action menu, click Connect To, and then specify the
domain where you want to make changes. Click OK.
2. Expand the Domain Naming Context (Domain NC) hierarchy to the appropriate
container: OU=UsersContainer,DC=company,DC=com.
5. In Advanced Security Settings for Group Name, click Add and then select the
group object, Company\ExAdmin Group. Click OK.
6. In Permission Entry for Users, click the Properties tab, and then select User
Objects from the list to change the Apply onto field.
7. For each of the following property rights, select the Allow permission:
• Read msExchPoliciesExcluded
• Read textEncodedORAddress
• Read displayName
• Read targetAddress
• Read homeMTA
• Write msExchPoliciesExcluded
• Write textEncodedORAddress
• Write displayName
• Write targetAddress
• Write homeMTA
8. Click OK.
• Service Pack 3 for Exchange 2000 Server and Exchange 2000 Server Enterprise
Edition (http://go.microsoft.com/fwlink/?linkid=17058)
In some cases, the access control list (ACL) is not applied on the usual property
(ntSecurityDescriptor), but on some other property—for example,
"msExchMailboxSecurityDescriptor". The directory service cannot enforce security that is not
specified in the Microsoft® Windows® NT security descriptor; in most cases, these ACLs will
be replicated to store ACLs on appropriate objects by the store service. There is,
unfortunately, no tool for viewing these ACLs as anything other than raw binary data.
• D Checked if this is a deny ACE. Allow and Deny are mutually exclusive.
• Comments The reason this permission is required, or other information about the
permission.
The permissions that are removed by Microsoft Exchange Server 2003 Setup are indicated
by a double strike-through font (for example, double strike-through). These are permissions
that were set in Exchange 2000 Server, but they have since been deprecated from the
security model.
The permissions are generally listed in the table by the names used on the ADSIEdit Security
property page, in the Advanced view, on the View/Edit tab. The ADSIEdit Security property
page lists a much more condensed view of the rights. The LDP tool (Ldp.exe) displays the
access mask directly, as a numerical value. The setup code refers to the rights by predefined
constants.
ACTRL_DS_LIST_O 0x00000080
BJECT
Extended rights are custom rights specified by individual applications. They are specified in
the ACL, but they are meaningless to the directory service; the particular application enforces
any extended rights. Examples of Exchange extended rights are "Create public folder" or
"Create named properties in the information store."
During
ForestPre
p phase
50
During
server
install
During
ADC setup
During
server
install
Organization Container
cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
During
ForestPre
p phase
During
server
install
List
Contents
ACTRL_D
S_LIST_O
BJECT
List
Contents
ACTRL_D
S_LIST_O
BJECT
55
List
Contents
ACTRL_D
S_LIST_O
BJECT
List
Contents
ACTRL_D
S_LIST_O
BJECT
58
When
enabling a
Site
Replicatio
n Service
(ACE is
removed
when SRS
is
disabled.)
During
server
install
Addressing Container
cn=Addressing,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
During
server
install
During
server
install
Administrative Group
cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft
Exchange,cn=Services,cn=Configuration,dc=<domain>
During
server
install (set
on
attribute
msExchP
FDefaultA
dminACL)
During
server
install (set
on
attribute
msExchP
FDefaultA
dminACL)
Connections Container
cn=Connections,cn=<routing group>,cn=Routing Groups,cn=<admin group>,cn=Administrative
Groups,cn=<org>...
During
server
install
Servers Container
cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft
Exchange,cn=Services...
63
During
server
install, or
during
Exchange
ForestPre
p
During
server
install
(ACEs
defined in
schema
defaultSec
urityDescri
ptor)
Server Object
cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft
Exchange,cn=Services...
64
During
server
install (if
the server
is not a
cluster
virtual
machine)
During
server
install (if
the server
is a cluster
virtual
machine)
VM must
be able to
maintain its
own
configurati
on, but
Setup can't
tell which
specific
server to
grant
control to.
66
During
server
install
(ACEs
defined in
schema
defaultSec
urityDescri
ptor)
When
EDSLOCK
script is
run; ACE
is removed
by
Exchange
ForestPre
p
67
No server
needs to
read mail
except on
its own
MDBs.
Protocols Container
cn=Protocols,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative
Groups,cn=<org>,cn=Microsoft Exchange...
68
During
server
install
During
server
install (set
on
attribute
msExchM
ailboxSec
urityDesc
riptor)
MTA Object
cn=Microsoft MTA,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative
Groups,cn=<org>...
During
server
install or
when
enabling
an SRS
70
During
ForestPre
p phase
71
During
server
install
During
ADC setup
72
Domain Container
dc=<domain>
During
DomainPr
ep phase
73
During
DomainPr
ep phase
(if running
against
Windows
Server 200
3 schema)
75
During
DomainPr
ep phase
During
DomainPr
ep (ACEs
defined in
schema
defaultSec
urityDescri
ptor)
Set by the
Recipient
Update
Service
77
AdminSDHolder Container
cn=AdminSDHolder,cn=System,dc=<domain>
During
DomainPr
ep phase
During
DomainPr
ep phase
During
DomainPr
ep phase
Set by the
Recipient
Update
Service
During
DomainPr
ep phase
Set by the
Recipient
Update
Service
General Questions
Are there areas in Exchange 2000 Server where I should tighten security?
If some Exchange Administrators are not trustworthy and have the ability to directly logon to
the Exchange server console, you should implement the EDSLock script, which is discussed
in Microsoft Knowledge Base article 313807, "XADM: Enhancing the Security of
Exchange 2000 for the Exchange Domain Servers Group." This action will prevent these
administrators from elevating their permissions and logging on to non-local mailboxes.
Be careful when you deploy Exchange 2000 Server on servers that are running
Active Directory® directory service. Administrators who have console access to domain
controllers have the ability to elevate their permissions in Active Directory. For this reason and
others, it is recommended that you deploy Exchange 2000 Server on member servers. For
more information about restricting permissions, see Design Considerations for Delegation of
Administration in Active Directory.
Be aware that prior to Service Pack 2 (SP2) for Exchange 2000 Server, accounts belonging
to the local "Administrators" group on a server running Exchange 2000 Server had the
automatic permission to Send As any user in the organization.
82
The server running Exchange Server version 5.5 must be installed on a computer running
Microsoft Windows® 2000 Server in an Active Directory domain. You need to log on to
Active Directory as a user who has the following permissions:
• Admin role on the Exchange Server 5.5 site naming context (for the site that you are
joining)
• Admin role on the Exchange Server 5.5 configuration naming context (for the site that
you are joining)
Additionally, you will need to know the service account name and password for the site that
relates to the server that you specify. If the Exchange Server 5.5 service account is in a
Windows NT 4.0 domain, you must create a two-way trust from the forest root domain to the
domain that contains the Exchange Server 5.5 service account.
What permissions do I need to install service packs for Exchange 2000 Server?
Service packs for Exchange need to be installed after Exchange 2000 Server. There is not an
integrated setup of Exchange that includes service packs. You need to have the following
permissions to apply service packs:
• Exchange Administrator role on the administration group where the server running
Exchange 2000 Server exists
There are two exceptions. First, when you are upgrading an Exchange 2000 Server cluster or
Key Management Service to Service Pack 2, you need to have the following permissions:
83
The second exception is if you are installing Service Pack 3 (SP3) for Exchange 2000 Server.
Because SP3 for Exchange 2000 Server Setup modifies rights on a protocol object in the
Exchange configuration container, you need one of the following permissions:
• Exchange Full Administrator role on the administration group where the server
running Exchange 2000 Server exists
For more information about deploying SP3 for Exchange 2000 Server, see Microsoft
Knowledge Base article 326293, "White Paper: Microsoft Exchange 2000 Server Service
Pack 3 Deployment Guide."
What happens if I add my own user account to the 'Exchange Domain Servers' group?
If at least one computer running Exchange 2000 Server is installed in the same domain, you
would have significant permissions over the organization and all mailboxes. Indeed, it is
possible to use your account to logon to any mailbox in the organization. Interestingly, if your
account is also a Domain Admin or Enterprise Admin, you will be denied access (by default)
to other users mailboxes, as an explicit deny access control entry is placed on each
Exchange database for users in these groups.
If your domain had simply been prepared (through DomainPrep) and a server running
Exchange Server 2003 had not been installed in the domain, you would not acquire
permissions to open other users mailboxes, and you would not gain any permissions to the
Exchange organization.
To increase the security of your organization, consider one of the following approaches:
• Use the EDSlock script to prevent members of the 'Exchange Domain Servers' group
(from any domain) from accessing non-local resources. For more information about this
approach, see Microsoft Knowledge Base Article 313807, "XADM: Enhancing the
Security of Exchange 2000 for the Exchange Domain Servers Group."
• Install all servers running Exchange 2000 Server in a separate domain in the forest,
away from user accounts and normal domain administrators.
Additionally, you may want to place 'deny' access control entries (ACEs) on the two special
groups so that other administrators cannot change their membership.
What happens if I add my own user account to the 'Exchange Enterprise Servers'
group?
If at least one computer running Exchange 2000 Server had been installed in the same
domain, you would have significant permissions over the organization and all mailboxes.
Indeed, with Exchange 2000 Server, it is possible to use your account to logon to any mailbox
84
in the organization. Interestingly, if your account is also a Domain Admin or Enterprise Admin,
you will be denied access (by default) to other users mailboxes, as an explicit deny access
control entry is placed on each Exchange database for users in these groups.
If your domain had simply been prepared (through DomainPrep) and a server running
Exchange 2000 Server had not been installed in the domain, you would not acquire
permissions to open other users mailboxes, and you would not gain any permissions to the
Exchange organization.
Regardless, the Exchange services will automatically remove your account from the
'Exchange Enterprise Servers' group on next restart.
To create and manage an Instant Messaging (IM) virtual server, you need the following
permissions:
If you need to change the firewall topology information for Instant Messaging within your
organization, you will need this additional permission:
You need permissions to change attributes on each users' Active Directory object. For more
information about how to create 'mailbox administrators,' see "Exchange Server 2003
Delegation and Roles." Additionally, you need the following permissions:
• At least Exchange View Only Administrator role on the administrative group where
the Instant Messaging virtual server exists
• Exchange Full Administrator role at the Exchange 2000 Server organization level
To update your Exchange Conferencing Server installation to Service Pack 2 (SP2), you need
to be logged on to Active Directory as a user with the following permissions:
• Exchange Full Administrator role at the Exchange 2000 Server organization level
• Member of "Domain Admins" in the domain where the conferencing server resides
You need to be a "Domain Admin" to update to SP2 because the installer creates a new
Global Security Group in the "Users" container called "Exchange Conferencing Access
Servers". This new group resolves past problems where non-Windows 2000 Server clients
could not join secure conferences.
The following table shows the different conferencing-related operations that administrators in
various roles can perform.
View conference X X X
settings
The ActiveX control consists of two files; xcliacc_x86.dll and xcliacc.inf. Users must have
local administrator permissions to download the control into <drive>:\%WinDir%\Downloaded
Program Files.
When you downloaded Working with Active Directory Permissions in Exchange Server 2003
from the Microsoft Download Center, a folder named DSACLS Snippets was also created in
the same folder where this guide was created. The DSACLS Snippets folder contains
DSACLS snippets that you can copy and paste into the Dsacls.exe tool. These snippets are
saved in individual text files that have names that correspond to the headings in this section.
See "DSACLS Command Syntax Snippets" for a complete list of the snippet text file names.
The tables in this section list attributes by their LDAP display name. If an attribute is followed
by text in parentheses, that text indicates the name as seen in Active Directory® directory
service interfaces (like ADSI Edit). All references to user objects also apply to the
inetOrgPerson object; however, the inetOrgPerson object is not specified in the section titles
because it is rarely used.
Most of the attributes apply to both Microsoft® Exchange 2000 Server and Exchange
Server 2003. However, there are some exceptions and these exceptions are indicated in the
tables.
87
By granting an Exchange Administrator Read and Write access to the attributes that are
associated with the tabs listed below, the administrator can perform a particular function (for
example, manage e-mail addresses).
The following table lists the attributes that can be viewed on the Exchange General tab of a
mail-enabled group object when using the Exchange-enabled Active Directory Users and
Computers MMC snap-in.
(Applies only to
Exchange Server 2003)
The following table lists the attributes that can be viewed on the Exchange General tab of a
mail-enabled user or inetOrgPerson or contact object when using the Exchange-enabled
Active Directory Users and Computers MMC snap-in.
(Applies only to
Exchange Server 2003)
(Applies only to
Exchange Server 2003)
90
The following table lists the attributes that can be viewed on the Exchange Advanced tab of a
mail-enabled group object when using the Exchange-enabled Active Directory Users and
Computers MMC snap-in.
The following table lists the attributes that can be viewed on the Exchange Advanced tab of a
mail-enabled user, inetOrgPerson, or contact object when using the Exchange-enabled
Active Directory Users and Computers MMC snap-in.
User-Related Tasks
Each organization defines what it expects from an Exchange administrator. However,
Exchange administrators need to perform certain common tasks with regard to user and
inetOrgPerson objects. For example:
• Moving mailboxes
Administrators can perform these tasks by using the Exchange Tasks Wizard in the
Exchange-enabled Active Directory Users and Computers MMC snap-in.
In addition, the Exchange administrator must have Read and Write access to the following
user or inetOrgPerson object attributes:
• adminDisplayName
• dLMemDefault
• homeMTA
• legacyExchangeDN
• mailNickname (Alias)
• mAPIRecipient
• mDBUseDefaults
• msExchADCGlobalNames
• msExchControllingZone
• msExchFBURL
• msExchHideFromAddressLists
• msExchMailboxGuid
• msExchMailboxSecurityDescriptor
• msExchPoliciesExcluded
• msExchPoliciesIncluded
97
• msExchResourceGUID
• msExchUserAccountControl
• showInAddressBook
• targetAddress
• textEncodedORAddress
Moving Mailboxes
Beginning with Exchange Server 2003 Service Pack 1 (SP1), there are two methods for
moving mailboxes depending on the organization mode in which your Exchange environment
is operating.
• If you are in mixed mode, the Move Mailbox Task will present you with two options.
• If you are in native mode, you can move a mailbox within and between administrative
groups.
The Exchange Administrator must be a local administrator on the workstation which is being
used to perform the Move Mailbox task. In addition, the Exchange Administrator must have
Read and Write access to the following user or inetOrgPerson object attributes:
• homeMTA
• targetAddress
98
• msExchOmaAdminWirelessEnable
Note:
This attribute is removed if you are moving a mailbox to a server running
Exchange Server 5.5 or Exchange 2000 Server.
• msExchOmaAdminExtendedSettings
Note:
This attribute is removed if you are moving a mailbox to a server running
Exchange Server 5.5 or Exchange 2000 Server.
• The Exchange delegated role, Exchange Administrator (or higher), on the source and
destination administrative groups.
Note:
If you are moving mailboxes from an Exchange 5.5 server, then you will need the
Exchange delegated role, Admin (or higher) on the 5.5 site and configuration contexts
that contain the mailboxes.
• The Exchange delegated role, Exchange View Only Administrator role (or higher)
delegated at the organization level to read the properties of the ADC Configuration
Connection Agreements to determine the target administrative group’s responsible SRS.
• The Exchange delegated role, Admin (or higher) on the source 5.5 site and the 5.5
site that contains the target administrative group’s SRS (this is granted through the
Exchange 5.5 Administrator program).
The Exchange administrator must be a local administrator on the workstation which is being
used to perform the Move Mailbox task. In addition, the Exchange Administrator must have
Read and Write access to the following user or inetOrgPerson object attributes:
• homeMTA
• targetAddress
• msExchADCGlobalNames
• proxyAddresses
99
• legacyExchangeDN
The Exchange Administrator must be a local administrator on the workstation which is being
used to perform the Move Mailbox task. In addition, the Exchange Administrator must have
Read and Write access to the following user or inetOrgPerson object attributes:
• homeMTA
• targetAddress
• msExchOmaAdminWirelessEnable
Note:
This attribute is removed if you are moving a mailbox to a server running
Exchange Server 5.5 or Exchange 2000 Server.
• msExchOmaAdminExtendedSettings
Note:
This attribute is removed if you are moving a mailbox to a server running
Exchange Server 5.5 or Exchange 2000 Server.
Note:
Mailbox-disabling an object marks the mailbox for deletion within the Exchange
database; it does not disable the object as an authentication principal.
100
• adminDisplayName
• altRecipient
• authOrig
• deletedItemFlags
• delivContLength
• deliverAndRedirect
• dLMemDefault
• dLMemRejectPerms
• dLMemSubmitPerms
• garbageCollPeriod
• homeMTA
101
• internetEncoding
• legacyExchangeDN
• mailNickname (Alias)
• mAPIRecipient
• mDBOverHardQuotaLimit
• mDBOverQuotaLimit
• mDBStorageQuota
• mDBUseDefaults
• msExchADCGlobalNames
• msExchControllingZone
• msExchExpansionServerName
• msExchFBURL
• msExchHideFromAddressLists
• msExchMailboxGuid
• msExchMailboxSecurityDescriptor
• msExchPoliciesExcluded
• msExchPoliciesIncluded
• msExchRecipLimit
• msExchResourceGUID
• protocolSettings
• publicDelegates
• securityProtocol
• showInAddressBook
• submissionContLength
102
• targetAddress
• textEncodedORAddress
• unauthOrig
• adminDisplayName
• dLMemDefault
• homeMTA
• internetEncoding
• legacyExchangeDN
• mailNickname (Alias)
• mAPIRecipient
• msExchADCGlobalNames
• msExchControllingZone
• msExchFBURL
• msExchHideFromAddressLists
• msExchMailboxGuid
• msExchMailboxSecurityDescriptor
• msExchPoliciesExcluded
103
• msExchPoliciesIncluded
• msExchResourceGUID
• showInAddressBook
• targetAddress
• textEncodedORAddress
Note:
Mail-disabling an object removes mail-related properties from the object; it does not
disable the object as an authentication principal.
• adminDisplayName
• altRecipient
• authOrig
• deletedItemFlags
• delivContLength
• deliverAndRedirect
• dLMemDefault
• dLMemRejectPerms
• dLMemSubmitPerms
• garbageCollPeriod
• homeMTA
• internetEncoding
• legacyExchangeDN
• mailNickname (Alias)
• mAPIRecipient
• mDBOverHardQuotaLimit
• mDBOverQuotaLimit
• mDBStorageQuota
• mDBUseDefaults
• msExchADCGlobalNames
• msExchControllingZone
• msExchExpansionServerName
• msExchFBURL
• msExchHideFromAddressLists
105
• msExchMailboxGuid
• msExchMailboxSecurityDescriptor
• msExchPoliciesExcluded
• msExchPoliciesIncluded
• msExchRecipLimit
• msExchResourceGUID
• protocolSettings
• publicDelegates
• securityProtocol
• showInAddressBook
• submissionContLength
• targetAddress
• textEncodedORAddress
• unauthOrig
To remove all Exchange attributes on a user object, the Exchange Administrator must have
the Exchange delegated role, Exchange View-Only Administrator (or higher), on the target
administrative group. In addition, the Exchange Administrator must have Read and Write
access to the following user or inetOrgPerson object attributes:
• adminDisplayName
106
• altRecipient
• authOrig
• autoReply
• deletedItemFlags
• delivContLength
• deliverAndRedirect
• deliveryMechanism
• delivExtContTypes
• displayNamePrintable (Simple Display Name)
• dLMemDefault
• dLMemRejectPerms
• dLMemSubmitPerms
• dnQualifier
• enabledProtocols
• expirationTime
• extensionData
• formData
• forwardingAddress
• garbageCollPeriod
• heuristics
• homeMTA
• importedFrom
• internetEncoding
• language
• languageCode
• legacyExchangeDN
• mailNickname (Alias)
• mAPIRecipient
• mDBOverHardQuotaLimit
• mDBOverQuotaLimit
• mDBStorageQuota
• mDBUseDefaults
• msExchADCGlobalNames
• msExchALObjectVersion
• msExchControllingZone
• msExchCustomProxyAddresses
• msExchExpansionServerName
• msExchFBURL
• msExchHideFromAddressLists
• msExchInconsistentState
108
• msExchMailboxGuid
• msExchMailboxSecurityDescriptor
• msExchMailboxUrl
• msExchPfRootUrl
• msExchPoliciesExcluded
• msExchPoliciesIncluded
• msExchPolicyEnabled
• msExchPolicyOptionList
• msExchPreviousAccountSid
• msExchProxyCustomProxy
• msExchRecipLimit
• msExchResourceGUID
• msExchUnmergedAttsPt
• msExchUseOAB
• msExchUserAccountControl
• pOPCharacterSet
• pOPContentFormat
• protocolSettings
• publicDelegates
• replicatedObjectVersion
• replicationSensitivity
• replicationSignature
• securityProtocol
• showInAddressBook
• submissionContLength
• targetAddress
109
• textEncodedORAddress
• unauthOrig
• unmergedAtts
These tasks can be performed using the Exchange Tasks Wizard in the Exchange-enabled
Active Directory Users and Computers MMC snap-in.
• adminDisplayName
• autoReplyMessage
• dLMemDefault
• homeMTA
• internetEncoding
• legacyExchangeDN
• mailNickname (Alias)
110
• mAPIRecipient
• msExchADCGlobalNames
• msExchFBURL
• msExchHideFromAddressLists
• msExchMailboxSecurityDescriptor
• msExchPoliciesExcluded
• msExchPoliciesIncluded
• reportToOriginator
• showInAddressBook
• targetAddress
• textEncodedORAddress
Note:
Mail-disabling a group object only removes mail-related properties from the object;
the group itself is not deleted and membership is not affected.
• adminDisplayName
• altRecipient
• authOrig
• autoReplyMessage
• delivContLength
• deliverAndRedirect
• dLMemDefault
• dLMemRejectPerms
• dLMemSubmitPerms
111
• folderPathname
• garbageCollPeriod
• hideDLMembership
• homeMTA
• internetEncoding
• legacyExchangeDN
• mailNickname (Alias)
• mAPIRecipient
• msExchADCGlobalNames
• msExchExpansionServerName
• msExchFBURL
• msExchHideFromAddressLists
• msExchMailboxSecurityDescriptor
• msExchPoliciesExcluded
• msExchPoliciesIncluded
• msExchRecipLimit
• oOFReplyToOriginator
• protocolSettings
• publicDelegates
• reportToOriginator
• reportToOwner
• securityProtocol
• showInAddressBook
• submissionContLength
• targetAddress
• textEncodedORAddress
• unauthOrig
• hideDLMembership
• oOFReplyToOriginator
• permissions
• reportToOriginator
• reportToOwner
Note:
The permissions attribute is not a property of group objects. It is an object right for
the group class object (for example, grant Read and Modify Permissions). For
113
information about how to set this attribute correctly, see the Hiding Group
Membership DSACLS snippet text file.
• adminDisplayName
• altRecipient
• authOrig
• autoReplyMessage
• delivContLength
• deliverAndRedirect
• deliveryMechanism
• delivExtContTypes
• dLMemDefault
• dLMemRejectPerms
• dLMemSubmitPerms
• dnQualifier
• enabledProtocols
• expirationTime
• extensionData
• folderPathname
• formData
• forwardingAddress
• garbageCollPeriod
• heuristics
• hideDLMembership
• homeMTA
• importedFrom
• internetEncoding
• language
• languageCode
• legacyExchangeDN
• mailNickname (Alias)
• mAPIRecipient
• msExchADCGlobalNames
• msExchALObjectVersion
115
• msExchCustomProxyAddresses
• msExchExpansionServerName
• msExchFBURL
• msExchHideFromAddressLists
• msExchInconsistentState
• msExchMailboxSecurityDescriptor
• msExchPoliciesExcluded
• msExchPoliciesIncluded
• msExchPolicyEnabled
• msExchPolicyOptionList
• msExchPreviousAccountSid
• msExchProxyCustomProxy
• msExchRecipLimit
• msExchUnmergedAttsPt
• msExchUserAccountControl
• oOFReplyToOriginator
• pOPCharacterSet
• pOPContentFormat
• protocolSettings
• publicDelegates
• replicatedObjectVersion
• replicationSensitivity
• replicationSignature
• reportToOriginator
• reportToOwner
• securityProtocol
• showInAddressBook
• submissionContLength
116
• targetAddress
• textEncodedORAddress
• unauthOrig
• unmergedAtts
These tasks can be performed using the Exchange Tasks Wizard in the Exchange-enabled
Active Directory Users and Computers MMC snap-in.
• adminDisplayName
• dLMemDefault
• homeMTA
• internetEncoding
• legacyExchangeDN
• mailNickname (Alias)
• mAPIRecipient
117
• msExchADCGlobalNames
• msExchFBURL
• msExchHideFromAddressLists
• msExchMailboxSecurityDescriptor
• msExchPoliciesExcluded
• msExchPoliciesIncluded
• showInAddressBook
Note:
Mail-disabling a contact object only removes mail-related properties from the object;
the contact itself is not deleted.
• adminDisplayName
• altRecipient
• authOrig
• delivContLength
• deliverAndRedirect
• dLMemDefault
• dLMemRejectPerms
• dLMemSubmitPerms
• folderPathname
• garbageCollPeriod
• homeMTA
• internetEncoding
• legacyExchangeDN
• mailNickname (Alias)
• mAPIRecipient
• msExchADCGlobalNames
• msExchExpansionServerName
• msExchFBURL
• msExchHideFromAddressLists
• msExchMailboxSecurityDescriptor
• msExchPoliciesExcluded
• msExchPoliciesIncluded
• msExchPoliciesIncluded
119
• msExchRecipLimit
• msExchRecipLimit
• protocolSettings
• publicDelegates
• securityProtocol
• showInAddressBook
• submissionContLength
• unauthOrig
To remove all Exchange attributes on a contact object, the Exchange Administrator must have
the Exchange delegated role, Exchange View-Only Administrator (or higher) on the target
administrative group. In addition, the Exchange Administrator must have Read and Write
access to the following contact object attributes:
• adminDisplayName
• altRecipient
• authOrig
• delivContLength
• deliverAndRedirect
• deliveryMechanism
• delivExtContTypes
• dLMemDefault
• dLMemRejectPerms
• dLMemSubmitPerms
• dnQualifier
• enabledProtocols
• expirationTime
• extensionData
• folderPathname
• formData
• forwardingAddress
• garbageCollPeriod
• heuristics
• homeMTA
• importedFrom
• internetEncoding
121
• language
• languageCode
• legacyExchangeDN
• mailNickname (Alias)
• mAPIRecipient
• msExchADCGlobalNames
• msExchALObjectVersion
• msExchCustomProxyAddresses
• msExchExpansionServerName
• msExchFBURL
• msExchHideFromAddressLists
• msExchInconsistentState
• msExchMailboxSecurityDescriptor
• msExchPoliciesExcluded
• msExchPoliciesIncluded
• msExchPolicyEnabled
• msExchPolicyOptionList
• msExchPreviousAccountSid
• msExchProxyCustomProxy
• msExchRecipLimit
• msExchUnmergedAttsPt
• msExchUserAccountControl
• pOPCharacterSet
• pOPContentFormat
• protocolSettings
• publicDelegates
• replicatedObjectVersion
122
• replicationSensitivity
• replicationSignature
• securityProtocol
• showInAddressBook
• submissionContLength
• textEncodedORAddress
• unauthOrig
• unmergedAtts
Using query-based distribution groups results in a much lower administrative cost, given the
dynamic nature of the distribution group. However, query-based distribution groups require
higher performance cost for queries that produce a large number of results. This cost is
equated with server resources (such as high CPU and increased working set) because every
time an e-mail message is sent to a query-based distribution group, an LDAP query is
executed against Active Directory to determine its membership.
For more information about query-based distribution groups, see Administration Features
in Exchange Server 2003.
For more information about Exchange related attributes of query-based distribution group
objects, see Exchange-Related Attributes of Query-Based Distribution Group Objects.
The following table lists the attributes for user, group, and contact objects that are seen within
the GAL. You can view and modify these attributes on specific tabs of the appropriate object
by using the Active Directory Users and Computers (ADU&C) MMC snap-in.
Note:
The following table lists examples of attributes that an Exchange Administrator may
want to modify. Depending on the organization's business needs and processes,
attributes may be added to or removed from this list. Regardless, the same steps
apply as to how to delegate responsibilities.
Note:
The attributes telephoneAssistant and secretary must be manually entered using the
LDP tool (Ldp.exe) or ADSI Edit (AdsiEdit.msc). The ActiveDirectory Users and
Computers MMC snap-in does not expose these fields.
Note:
Incorrectly modifying the attributes of Active Directory® directory service objects by
using ADSI Edit (AdsiEdit.msc), DSACLS (Dsacls.exe), the LDP tool (Ldp.exe), or
any other Lightweight Directory Access Protocol (LDAP) version 3 clients can cause
serious problems. These problems may require reinstallation of Microsoft® Windows
Server, Microsoft Exchange Server, or both. Problems that occur if ActiveDirectory
130
object attributes are modified incorrectly may not be solved. Modify these attributes at
your own risk.
Where:
• <ClassObject> is the class object (user, group, contact, and so on) to which the
attribute is associated.
The /I:S switch signals DSACLS to apply the permissions to sub-objects contained within the
container path. The /G switch signals DSACLS to grant the necessary permissions (as
opposed to deny or remove the permissions).
The RP argument signals DSACLS to grant the Read access for the property in question. The
WP argument signals DSACLS to grant Write access for the property in question.
Note:
The syntax for DSACLS is one command line, which contains no line breaks.
Copyright
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting
the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
131
written license agreement from Microsoft, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted in examples herein are fictitious. No
association with any real company, organization, product, domain name, e-mail address,
logo, person, place, or event is intended or should be inferred.
Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Active Directory, ActiveSync,
ActiveX, Entourage, Excel, FrontPage, Hotmail, JScript, Microsoft Press, MSDN, MSN,
Outlook, SharePoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows Mobile,
Windows NT, and Windows Server System are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.