Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Configuring Standard Permissions for Exchange Server 2010 (part 2) - Understanding & Assigning Advanced Exchange Server Permissions

7/24/2011 4:45:10 PM

4. Understanding Advanced Exchange Server Permissions

Active Directory objects are assigned a set of permissions. These permissions are standard Microsoft Windows permissions, object-specific permissions, and extended permissions.

Table 3 summarizes the most common object permissions. Keep in mind that some permissions are generalized. For example, with Read Value(s) and Write Value(s), Value(s) is a placeholder for the actual type of value or values.

Table 3. Common Permissions for Active Directory Objects
PERMISSIONDESCRIPTION
Full ControlPermits reading, writing, modifying, and deleting
List ContentsPermits viewing object contents
Read All PropertiesPermits reading all properties of an object
Write All PropertiesPermits writing to all properties of an object
Read Value(s)Permits reading the specified value(s) of an object, such as general information or group membership
Write Value(s)Permits writing the specified value(s) of an object, such as general information or group membership
Read PermissionsPermits reading object permissions
Modify PermissionsPermits modifying object permissions
DeletePermits deleting an object
Delete SubtreePermits deleting the object and its child objects
Modify OwnerPermits changing the ownership of the object
All Validated WritesPermits all types of validated writes
All Extended WritesPermits all extended writes
Create All Child ObjectsPermits creating all child objects
Delete All Child ObjectsPermits deleting all child objects
Add/Remove Self As MemberPermits adding and removing the object as a member
Send ToPermits sending to the object
Send AsPermits sending as the object
Change PasswordPermits changing the password for the object
Receive AsPermits receiving as the object

Table 4 summarizes Exchange-specific permissions for objects. If you want to learn more about other types of permissions, I recommend that you read Windows Server 2008 Administrator's Pocket Consultant, Second Edition (Microsoft Press, 2010) or Windows 7 Administrator's Pocket Consultant (Microsoft Press, 2009).

Table 4. Extended Permissions for Exchange Server
PERMISSIONDESCRIPTION
Read Exchange InformationPermits reading general Exchange properties of the object
Write Exchange InformationPermits writing general Exchange properties of the object
Read Exchange Personal InformationPermits reading personal identification and contact information for an object
Write Exchange Personal InformationPermits writing personal identification and contact information for an object
Read Phone and Mail OptionsPermits reading phone and mail options of an object
Write Phone and Mail OptionsPermits writing phone and mail options of an object

Although you can use standard Windows permissions, object-specific permissions, and extended permissions to control Exchange management and use, Microsoft recommends that you use the new role-based access controls instead. My recommendation is to use the role-based access controls whenever possible in place of specific permissions. However, you might want to duplicate the old style permissions during your transition from Exchange 2003 or Exchange 2007 to Exchange 2010. This can simplify the transition by allowing you to configure new Exchange groups, such as Organization Management or Recipient Management, exactly as they are configured in the Exchange 2003 or Exchange 2007 organization. In this case, after you've ensured permissions are configured as required for proper operations and support of any applications that work with Exchange data, you can start implementing a role-based model for your organization.

5. Assigning Advanced Exchange Server Permissions

In Active Directory, different types of objects can have different sets of permissions. Different objects can also have general permissions that are specific to the container in which they're defined. For troubleshooting or fine-tuning your environment, you might occasionally need to modify advanced permissions. You can set advanced permissions for Active Directory objects by following these steps:

  1. Open Active Directory Users And Computers. If advanced features aren't currently being displayed, select Advanced Features on the View menu.

  2. Right-click the user, group, service account, or computer account with which you want to work.


    Warning:

    Only administrators with a solid understanding of Active Directory and Active Directory permissions should manipulate advanced object permissions. Incorrectly setting advanced object permissions can cause problems that are difficult to track down and may also cause irreparable harm to the Exchange organization.


  3. Select Properties from the shortcut menu, and then click the Security tab in the Properties dialog box, as shown in Figure 4.

  4. Users or groups with access permissions are listed in the Group Or User Names list box. You can change permissions for these users and groups by doing the following:

    • Select the user or group you want to change.

    • Use the Permissions list box to grant or deny access permissions.

    • When inherited permissions are dimmed, override inherited permissions by selecting the opposite permissions.

  5. To set access permissions for additional users, computers, or groups, click Add. Then use the Select Users, Computers, Security Accounts, Or Groups dialog box to add users, computers, security accounts, or groups.

    Figure 4. Use the Security tab to manage advanced permissions.

  6. Select the user, computer, service account, or group you want to configure in the Group Or User Names list box, click Add, and then click OK. Then use the fields in the Permissions area to allow or deny permissions. Repeat this step for other users, computers, service accounts, or groups. Click OK when you're finished.

Other -----------------
- Feature Overview of Microsoft Lync Server 2010 : Dial-In Conferencing & Enterprise Voice
- Feature Overview of Microsoft Lync Server 2010 : Instant Messaging & Web Conferencing
- Feature Overview of Microsoft Lync Server 2010 : Presence
- Installing Windows Small Business Server 2011
- Business Server 2011 : Planning Fault Tolerance and Avoidance - Disk Arrays
- Microsoft Dynamics GP 2010 : Improving financial reporting clarity by splitting purchasing accounts & Speeding up lookups with Advanced Lookups
- Microsoft Dynamics GP 2010 : Remembering processes with an Ad hoc workflow
- Microsoft Dynamics GP 2010 : Gaining additional reporting control with Account Rollups
- SharePoint 2010 Search : Replacing the SharePoint Search Engine (part 2) - FAST Search Server 2010 for SharePoint
- SharePoint 2010 Search : Replacing the SharePoint Search Engine (part 1) - Google Search Appliance
- Microsoft Dynamics NAV : Backing up and restoring with SQL Server
- Microsoft Dynamics NAV : Using HotCopy backup & Testing the database
- Microsoft Dynamics NAV : Creating and restoring backups using a Dynamics NAV client
- Microsoft SQL Server 2008 Analysis Services : Building Basic Dimensions and Cubes - Setting up a new Analysis Services project
- Windows Server 2008 Server Core : Managing IIS - Working with the ApplicationHost.CONFIG File
- Microsoft Dynamics CRM 2011 : Creating a Dynamic Marketing List
- Microsoft Dynamics CRM 2011 : Evaluating Members Included in a List by Using Advanced Find & Removing Selected Members from a List
- Microsoft Dynamics AX 2009 : The MorphX Tools - Label Editor
- Windows Server 2008 R2 : Manage a DNS Server (part 3) - Manage Zone Database Files & Configure Single-Label DNS Resolution
- Windows Server 2008 R2 : Manage a DNS Server (part 2) - Manage DNS Integration with Active Directory & Change Zone Replication
 
 
Most view of day
- Troubleshooting Stop Messages : Common Stop Messages (part 4)
- Windows Server 2012 : Configuring IPsec (part 6) - Configuring connection security rules - Creating a custom rule, Configuring authenticated bypass
- Planning Deployment : Starting Deployment Workbench, Updating BDD 2007 Components
- System Center Configuration Manager 2007 : Creating New Reports
- What's new and improved in SharePoint 2013 : Previewing search documents, Using the Community Site template
- Windows Server 2003 on HP ProLiant Servers : Migration Case Studies (part 2) - Eastman Chemical Company
- Windows Server 2012 : Simplifying the Datacenter (part 2) - Active Directory Administrative Center
- Windows Server 2003 on HP ProLiant Servers : Migration Case Studies (part 1) - County Government Office
- Adobe Illustrator CS5 : Organizing Your Drawing - Working with Groups
- Microsoft Visio 2010 : Importing Graphics (part 2) - Using Images as Shapes in Visio - Handling Bitmaps and Jaggies
Top 10
- Configuring and Troubleshooting IPv6 in Windows Vista (part 4) - Troubleshooting IPv6 Connectivity
- Configuring and Troubleshooting IPv6 in Windows Vista (part 3) - Configuring IPv6 in Windows Vista Using Netsh , Other IPv6 Configuration Tasks
- Configuring and Troubleshooting IPv6 in Windows Vista (part 2) - Configuring IPv6 in Windows Vista Using the User Interface
- Configuring and Troubleshooting IPv6 in Windows Vista (part 1) - Displaying IPv6 Address Settings
- Deploying IPv6 : IPv6 Enhancements in Windows Vista
- Games and Windows 7 : Games for Windows - LIVE (part 2) - Accessing Games for Windows - LIVE from within Compatible Games
- Games and Windows 7 : Games for Windows - LIVE (part 1) - Using the Games for Windows - LIVE Marketplace
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 3)
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 2) - Working with the REST API in JavaScript
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 1) - Understanding REST fundamentals
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro