Getting Started	<<	>>

Directory Permissions

You control access to objects in the directory by using the Microsoft Exchange Server Administrator program to assign roles to Windows NT Server user accounts and groups. Roles are sets of permissions that define how much and what type of access a user or group has to an object. For example, the Administrator role gives administrators a number of permissions that help them perform their daily tasks. You can define custom roles or use the following default roles provided with Microsoft Exchange Server.

Admin.
Permissions Admin.
Service Account Admin.
View Only Admin.
User
Send As
Search

Each role is defined by a set of permissions that determines the specific actions that a particular user account or group can perform on an object. For example, the Delete permission grants the ability to delete an object. The following table describes the permissions.

Permission Description

Add Child Creates objects below the selected object in the directory hierarchy. For example, if a user has this permission for the Recipients container, the user can create mailboxes in that container.

Modify User Attributes Modifies user-level attributes associated with an object. For example, a user with this permission can modify the members of a distribution list.

Modify Admin Attributes Modifies administrator-level attributes associated with an object. For example, a user with this permission can modify the job title and display name fields in a mailbox.

Modify Permission Modifies permissions on existing objects. For example, without this permission, a user can grant permissions for new mailboxes but can't modify permissions for existing mailboxes.

Delete Enables users to delete objects.

Send As Enables users to send messages with the sender's return address. For example, all users have this permission for their mailbox so that they can send messages with that mailbox's return address. This permission is also granted for server objects in the directory to the service account so that directory service processes can send messages to each other.

Mailbox Owner Enables users to read and delete messages in this mailbox. This permission is also granted for server objects in the directory to the service account, so that directory processes can send messages to each other.

Logon Rights Enables users and services to access the directory. Users need this permission to use the Administrator program. Services also need this permission.

Replication Enables users and services to replicate directory information with other servers. This permission is required by the Microsoft Exchange Server service account to replicate with other servers.

Search Enables the selected user account to view the contents of the container. This permission is most useful for restricting access to Address Book View containers. For more information about using the Search permission with Address Book views, see Microsoft Exchange Server Operations.

Permission	Description
Add Child	Creates objects below the selected object in the directory hierarchy. For example, if a user has this permission for the Recipients container, the user can create mailboxes in that container.
Modify User Attributes	Modifies user-level attributes associated with an object. For example, a user with this permission can modify the members of a distribution list.
Modify Admin Attributes	Modifies administrator-level attributes associated with an object. For example, a user with this permission can modify the job title and display name fields in a mailbox.
Modify Permission	Modifies permissions on existing objects. For example, without this permission, a user can grant permissions for new mailboxes but can't modify permissions for existing mailboxes.
Delete	Enables users to delete objects.
Send As	Enables users to send messages with the sender's return address. For example, all users have this permission for their mailbox so that they can send messages with that mailbox's return address. This permission is also granted for server objects in the directory to the service account so that directory service processes can send messages to each other.
Mailbox Owner	Enables users to read and delete messages in this mailbox. This permission is also granted for server objects in the directory to the service account, so that directory processes can send messages to each other.
Logon Rights	Enables users and services to access the directory. Users need this permission to use the Administrator program. Services also need this permission.
Replication	Enables users and services to replicate directory information with other servers. This permission is required by the Microsoft Exchange Server service account to replicate with other servers.
Search	Enables the selected user account to view the contents of the container. This permission is most useful for restricting access to Address Book View containers. For more information about using the Search permission with Address Book views, see Microsoft Exchange Server Operations.

As mentioned earlier, you can grant permissions to groups of users, as well as to individual user accounts. Permissions are also used by Microsoft Exchange Server services. Most permissions apply only to the Administrator program; however, some permissions, such as Modify User Attribute, can apply to Microsoft Outlook clients.

Role

Permission Admin. Permissions Admin. Service Account Admin. View Only Admin. User Send As Search

Add Child X X X

Modify User Attributes X X X X X

Modify Admin Attributes X X X

Delete X X X

Logon X X X X

Modify Permission X X

Replication X

Mailbox Owner X X

Send As X X X

Search X

Permission	Admin.	Permissions Admin.	Service Account Admin.	View Only Admin.	User	Send As	Search
Add Child	X	X	X
Modify User Attributes	X	X	X		X		X
Modify Admin Attributes	X	X	X
Delete	X	X	X
Logon	X	X	X	X
Modify Permission		X	X
Replication			X
Mailbox Owner			X		X
Send As			X		X	X
Search							X