Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
EPL Standings
 
 
Windows Server

Configuring Standard Permissions for Exchange Server 2010 (part 2) - Understanding & Assigning Advanced Exchange Server Permissions

7/24/2011 4:45:10 PM

4. Understanding Advanced Exchange Server Permissions

Active Directory objects are assigned a set of permissions. These permissions are standard Microsoft Windows permissions, object-specific permissions, and extended permissions.

Table 3 summarizes the most common object permissions. Keep in mind that some permissions are generalized. For example, with Read Value(s) and Write Value(s), Value(s) is a placeholder for the actual type of value or values.

Table 3. Common Permissions for Active Directory Objects
PERMISSIONDESCRIPTION
Full ControlPermits reading, writing, modifying, and deleting
List ContentsPermits viewing object contents
Read All PropertiesPermits reading all properties of an object
Write All PropertiesPermits writing to all properties of an object
Read Value(s)Permits reading the specified value(s) of an object, such as general information or group membership
Write Value(s)Permits writing the specified value(s) of an object, such as general information or group membership
Read PermissionsPermits reading object permissions
Modify PermissionsPermits modifying object permissions
DeletePermits deleting an object
Delete SubtreePermits deleting the object and its child objects
Modify OwnerPermits changing the ownership of the object
All Validated WritesPermits all types of validated writes
All Extended WritesPermits all extended writes
Create All Child ObjectsPermits creating all child objects
Delete All Child ObjectsPermits deleting all child objects
Add/Remove Self As MemberPermits adding and removing the object as a member
Send ToPermits sending to the object
Send AsPermits sending as the object
Change PasswordPermits changing the password for the object
Receive AsPermits receiving as the object

Table 4 summarizes Exchange-specific permissions for objects. If you want to learn more about other types of permissions, I recommend that you read Windows Server 2008 Administrator's Pocket Consultant, Second Edition (Microsoft Press, 2010) or Windows 7 Administrator's Pocket Consultant (Microsoft Press, 2009).

Table 4. Extended Permissions for Exchange Server
PERMISSIONDESCRIPTION
Read Exchange InformationPermits reading general Exchange properties of the object
Write Exchange InformationPermits writing general Exchange properties of the object
Read Exchange Personal InformationPermits reading personal identification and contact information for an object
Write Exchange Personal InformationPermits writing personal identification and contact information for an object
Read Phone and Mail OptionsPermits reading phone and mail options of an object
Write Phone and Mail OptionsPermits writing phone and mail options of an object

Although you can use standard Windows permissions, object-specific permissions, and extended permissions to control Exchange management and use, Microsoft recommends that you use the new role-based access controls instead. My recommendation is to use the role-based access controls whenever possible in place of specific permissions. However, you might want to duplicate the old style permissions during your transition from Exchange 2003 or Exchange 2007 to Exchange 2010. This can simplify the transition by allowing you to configure new Exchange groups, such as Organization Management or Recipient Management, exactly as they are configured in the Exchange 2003 or Exchange 2007 organization. In this case, after you've ensured permissions are configured as required for proper operations and support of any applications that work with Exchange data, you can start implementing a role-based model for your organization.

5. Assigning Advanced Exchange Server Permissions

In Active Directory, different types of objects can have different sets of permissions. Different objects can also have general permissions that are specific to the container in which they're defined. For troubleshooting or fine-tuning your environment, you might occasionally need to modify advanced permissions. You can set advanced permissions for Active Directory objects by following these steps:

  1. Open Active Directory Users And Computers. If advanced features aren't currently being displayed, select Advanced Features on the View menu.

  2. Right-click the user, group, service account, or computer account with which you want to work.


    Warning:

    Only administrators with a solid understanding of Active Directory and Active Directory permissions should manipulate advanced object permissions. Incorrectly setting advanced object permissions can cause problems that are difficult to track down and may also cause irreparable harm to the Exchange organization.


  3. Select Properties from the shortcut menu, and then click the Security tab in the Properties dialog box, as shown in Figure 4.

  4. Users or groups with access permissions are listed in the Group Or User Names list box. You can change permissions for these users and groups by doing the following:

    • Select the user or group you want to change.

    • Use the Permissions list box to grant or deny access permissions.

    • When inherited permissions are dimmed, override inherited permissions by selecting the opposite permissions.

  5. To set access permissions for additional users, computers, or groups, click Add. Then use the Select Users, Computers, Security Accounts, Or Groups dialog box to add users, computers, security accounts, or groups.

    Figure 4. Use the Security tab to manage advanced permissions.

  6. Select the user, computer, service account, or group you want to configure in the Group Or User Names list box, click Add, and then click OK. Then use the fields in the Permissions area to allow or deny permissions. Repeat this step for other users, computers, service accounts, or groups. Click OK when you're finished.

Other -----------------
- Feature Overview of Microsoft Lync Server 2010 : Dial-In Conferencing & Enterprise Voice
- Feature Overview of Microsoft Lync Server 2010 : Instant Messaging & Web Conferencing
- Feature Overview of Microsoft Lync Server 2010 : Presence
- Installing Windows Small Business Server 2011
- Business Server 2011 : Planning Fault Tolerance and Avoidance - Disk Arrays
- Microsoft Dynamics GP 2010 : Improving financial reporting clarity by splitting purchasing accounts & Speeding up lookups with Advanced Lookups
- Microsoft Dynamics GP 2010 : Remembering processes with an Ad hoc workflow
- Microsoft Dynamics GP 2010 : Gaining additional reporting control with Account Rollups
- SharePoint 2010 Search : Replacing the SharePoint Search Engine (part 2) - FAST Search Server 2010 for SharePoint
- SharePoint 2010 Search : Replacing the SharePoint Search Engine (part 1) - Google Search Appliance
- Microsoft Dynamics NAV : Backing up and restoring with SQL Server
- Microsoft Dynamics NAV : Using HotCopy backup & Testing the database
- Microsoft Dynamics NAV : Creating and restoring backups using a Dynamics NAV client
- Microsoft SQL Server 2008 Analysis Services : Building Basic Dimensions and Cubes - Setting up a new Analysis Services project
- Windows Server 2008 Server Core : Managing IIS - Working with the ApplicationHost.CONFIG File
- Microsoft Dynamics CRM 2011 : Creating a Dynamic Marketing List
- Microsoft Dynamics CRM 2011 : Evaluating Members Included in a List by Using Advanced Find & Removing Selected Members from a List
- Microsoft Dynamics AX 2009 : The MorphX Tools - Label Editor
- Windows Server 2008 R2 : Manage a DNS Server (part 3) - Manage Zone Database Files & Configure Single-Label DNS Resolution
- Windows Server 2008 R2 : Manage a DNS Server (part 2) - Manage DNS Integration with Active Directory & Change Zone Replication
 
 
Most view of day
- Nginx HTTP Server : Basic Nginx Configuration - Configuration file syntax
- Microsoft Project 2010 : Setting Up a Project Budget - Setting the Project Fiscal Year
- BizTalk 2010 : ASDK SQL adapter examples (part 3) - Query notification and multiple result sets
- Deploying Applications (part 1) - Preparing the Lab, Planning Deployment, Choosing a Deployment Strategy
- Microsoft Exchange Server 2010 : Managing Connectivity with Hub Transport Servers - Send and Receive Connectors (part 1)
- Deploying the Client for Microsoft Exchange Server 2007 : Deploying with Microsoft Systems Management Server, Managing Postdeployment Tasks
- Microsoft PowerPoint 2010 : Finalizing Your Slide Show - Setting Up a Slide Show
- SharePoint 2010 : Configuring Search Settings and the User Interface - Web Parts (part 2)
- Microsoft Exchange Server 2010 : Working with SMTP Connectors, Sites, and Links (part 2) - Viewing and Managing Active Directory Site Link Details
- Microsoft PowerPoint 2010 : Creating New Slides (part 2) - Creating a Slide from a Layout, Copying Slides
Top 10
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 3) - Creating IPv4 DHCP Scopes
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 2) - Installing DHCP Server and Server Tools
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 1)
- Windows Server 2012 : DHCP,IPv6 and IPAM - Understanding the Components of an Enterprise Network
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 3) - Translating Text with the Mini Translator
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 2) - Translating a Word or Phrase with the Research Pane
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 1) - Setting Options for the Research Task Pane, Searching with the Research Task Pane
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 2) - Ending a Linked Notes Session, Viewing Linked Notes
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 1) - Beginning a Linked Notes Session
- Microsoft OneNote 2010 : Doing Research with Side Notes (part 3) - Moving Side Notes to Your Existing Notes
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro