Logo
CAR REVIEW
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
PREGNANCY
 
 
Windows Server

Configuring Standard Permissions for Exchange Server 2010 (part 2) - Understanding & Assigning Advanced Exchange Server Permissions

7/24/2011 4:45:10 PM

4. Understanding Advanced Exchange Server Permissions

Active Directory objects are assigned a set of permissions. These permissions are standard Microsoft Windows permissions, object-specific permissions, and extended permissions.

Table 3 summarizes the most common object permissions. Keep in mind that some permissions are generalized. For example, with Read Value(s) and Write Value(s), Value(s) is a placeholder for the actual type of value or values.

Table 3. Common Permissions for Active Directory Objects
PERMISSIONDESCRIPTION
Full ControlPermits reading, writing, modifying, and deleting
List ContentsPermits viewing object contents
Read All PropertiesPermits reading all properties of an object
Write All PropertiesPermits writing to all properties of an object
Read Value(s)Permits reading the specified value(s) of an object, such as general information or group membership
Write Value(s)Permits writing the specified value(s) of an object, such as general information or group membership
Read PermissionsPermits reading object permissions
Modify PermissionsPermits modifying object permissions
DeletePermits deleting an object
Delete SubtreePermits deleting the object and its child objects
Modify OwnerPermits changing the ownership of the object
All Validated WritesPermits all types of validated writes
All Extended WritesPermits all extended writes
Create All Child ObjectsPermits creating all child objects
Delete All Child ObjectsPermits deleting all child objects
Add/Remove Self As MemberPermits adding and removing the object as a member
Send ToPermits sending to the object
Send AsPermits sending as the object
Change PasswordPermits changing the password for the object
Receive AsPermits receiving as the object

Table 4 summarizes Exchange-specific permissions for objects. If you want to learn more about other types of permissions, I recommend that you read Windows Server 2008 Administrator's Pocket Consultant, Second Edition (Microsoft Press, 2010) or Windows 7 Administrator's Pocket Consultant (Microsoft Press, 2009).

Table 4. Extended Permissions for Exchange Server
PERMISSIONDESCRIPTION
Read Exchange InformationPermits reading general Exchange properties of the object
Write Exchange InformationPermits writing general Exchange properties of the object
Read Exchange Personal InformationPermits reading personal identification and contact information for an object
Write Exchange Personal InformationPermits writing personal identification and contact information for an object
Read Phone and Mail OptionsPermits reading phone and mail options of an object
Write Phone and Mail OptionsPermits writing phone and mail options of an object

Although you can use standard Windows permissions, object-specific permissions, and extended permissions to control Exchange management and use, Microsoft recommends that you use the new role-based access controls instead. My recommendation is to use the role-based access controls whenever possible in place of specific permissions. However, you might want to duplicate the old style permissions during your transition from Exchange 2003 or Exchange 2007 to Exchange 2010. This can simplify the transition by allowing you to configure new Exchange groups, such as Organization Management or Recipient Management, exactly as they are configured in the Exchange 2003 or Exchange 2007 organization. In this case, after you've ensured permissions are configured as required for proper operations and support of any applications that work with Exchange data, you can start implementing a role-based model for your organization.

5. Assigning Advanced Exchange Server Permissions

In Active Directory, different types of objects can have different sets of permissions. Different objects can also have general permissions that are specific to the container in which they're defined. For troubleshooting or fine-tuning your environment, you might occasionally need to modify advanced permissions. You can set advanced permissions for Active Directory objects by following these steps:

  1. Open Active Directory Users And Computers. If advanced features aren't currently being displayed, select Advanced Features on the View menu.

  2. Right-click the user, group, service account, or computer account with which you want to work.


    Warning:

    Only administrators with a solid understanding of Active Directory and Active Directory permissions should manipulate advanced object permissions. Incorrectly setting advanced object permissions can cause problems that are difficult to track down and may also cause irreparable harm to the Exchange organization.


  3. Select Properties from the shortcut menu, and then click the Security tab in the Properties dialog box, as shown in Figure 4.

  4. Users or groups with access permissions are listed in the Group Or User Names list box. You can change permissions for these users and groups by doing the following:

    • Select the user or group you want to change.

    • Use the Permissions list box to grant or deny access permissions.

    • When inherited permissions are dimmed, override inherited permissions by selecting the opposite permissions.

  5. To set access permissions for additional users, computers, or groups, click Add. Then use the Select Users, Computers, Security Accounts, Or Groups dialog box to add users, computers, security accounts, or groups.

    Figure 4. Use the Security tab to manage advanced permissions.

  6. Select the user, computer, service account, or group you want to configure in the Group Or User Names list box, click Add, and then click OK. Then use the fields in the Permissions area to allow or deny permissions. Repeat this step for other users, computers, service accounts, or groups. Click OK when you're finished.

Other -----------------
- Feature Overview of Microsoft Lync Server 2010 : Dial-In Conferencing & Enterprise Voice
- Feature Overview of Microsoft Lync Server 2010 : Instant Messaging & Web Conferencing
- Feature Overview of Microsoft Lync Server 2010 : Presence
- Installing Windows Small Business Server 2011
- Business Server 2011 : Planning Fault Tolerance and Avoidance - Disk Arrays
- Microsoft Dynamics GP 2010 : Improving financial reporting clarity by splitting purchasing accounts & Speeding up lookups with Advanced Lookups
- Microsoft Dynamics GP 2010 : Remembering processes with an Ad hoc workflow
- Microsoft Dynamics GP 2010 : Gaining additional reporting control with Account Rollups
- SharePoint 2010 Search : Replacing the SharePoint Search Engine (part 2) - FAST Search Server 2010 for SharePoint
- SharePoint 2010 Search : Replacing the SharePoint Search Engine (part 1) - Google Search Appliance
- Microsoft Dynamics NAV : Backing up and restoring with SQL Server
- Microsoft Dynamics NAV : Using HotCopy backup & Testing the database
- Microsoft Dynamics NAV : Creating and restoring backups using a Dynamics NAV client
- Microsoft SQL Server 2008 Analysis Services : Building Basic Dimensions and Cubes - Setting up a new Analysis Services project
- Windows Server 2008 Server Core : Managing IIS - Working with the ApplicationHost.CONFIG File
- Microsoft Dynamics CRM 2011 : Creating a Dynamic Marketing List
- Microsoft Dynamics CRM 2011 : Evaluating Members Included in a List by Using Advanced Find & Removing Selected Members from a List
- Microsoft Dynamics AX 2009 : The MorphX Tools - Label Editor
- Windows Server 2008 R2 : Manage a DNS Server (part 3) - Manage Zone Database Files & Configure Single-Label DNS Resolution
- Windows Server 2008 R2 : Manage a DNS Server (part 2) - Manage DNS Integration with Active Directory & Change Zone Replication
 
 
Most view of day
- Adobe Dreamweaver CS5 : Using Library Items and Server-side Includes (part 5) - Updating Your Web Sites with Libraries
- Communicating with Internet Email : Setting Up Mail Accounts
- SharePoint 2010 : Packaging and Deployment Model - Working with Packages
- Integrating BizTalk Server 2010 and Microsoft Dynamics CRM : Communicating from BizTalk Server to Dynamics CRM (part 6)
- Adobe Dreamweaver CS5 : Using Library Items and Server-side Includes (part 7) - Applying Server-Side Includes - Adding server-side includes
- Games and Windows 7 : Using the Games Explorer (part 1)
- Windows Server 2012 : Enabling Users to Work Anywhere (part 2) - RDS Web Access
- Communicating with Internet Email : Sending Messages (part 1) - Taking Control of Your Messages, Creating a Signature, Creating an Email Shortcut for a Recipient
- Microsoft Visio 2010 : Importing Graphics (part 6) - Importing AutoCAD Drawings - Manipulating an Imported AutoCAD Drawing and Adding Furniture
- Designing and Configuring Unified Messaging in Exchange Server 2007 : Monitoring and Troubleshooting Unified Messaging (part 2) - Performance Monitors
Top 10
- Microsoft Lync Server 2013 : Director Troubleshooting (part 3) - Synthetic Transactions,Telnet
- Microsoft Lync Server 2013 : Director Troubleshooting (part 2) - DNS Records, Logs
- Microsoft Lync Server 2013 : Director Troubleshooting (part 1) - Redirects, Certificates
- Microsoft Lync Server 2013 : Administration of the Director Role (part 4) - Services Management, Client Version Filter
- Microsoft Lync Server 2013 : Administration of the Director Role (part 3) - Topology Status
- Microsoft Lync Server 2013 : Administration of the Director Role (part 2) - Ports,Firewall Rules
- Microsoft Lync Server 2013 : Administration of the Director Role (part 1) - Services
- Microsoft Lync Server 2013 : Configuring the Director (part 2) - Web Services Ports,Reverse Proxy
- Microsoft Lync Server 2013 : Configuring the Director (part 1) - SRV Records, Web Services FQDN Overrides
- Sharepoint 2013 : SharePoint Designer 2013 (part 2) - Locking Down SharePoint Designer
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro