XADM: Exporting and Importing Permissions on Objects (188628)
The information in this article applies to:
- Microsoft Exchange Server 5.5
This article was previously published under Q188628 SUMMARY
Administrators may want to import and export information from the
Permissions page of Exchange mailboxes, distribution lists, and custom
recipients.
This can be accomplished by constructing an export/import .CSV header file
that contains the Obj-Admins, Obj-Perm-Admins, and Obj-Users fields.
NOTE: The information in this article also applies to manipulating
permissions for Custom Recipients and Distribution Lists.
MORE INFORMATION
Each Exchange mailbox has a "Primary Windows NT Account" entry that gives a
Windows NT user permission to access the mailbox. You can configure
additional Windows NT permissions on a mailbox and thus allow multiple
Windows NT accounts to have access to a single Exchange object.
NOTE: You can also allow multiple Windows NT account access by assigning a
Windows NT group as the "Primary Windows NT Account".
Additional Windows NT account permissions may be configured on the
Permissions property page for an object.
By default, the Permissions page is not displayed in Exchange Administrator
for most objects. To display it for all objects, from the Tools menu,
select Options. Click the Permissions tab, and then select "Show
Permissions page for all objects".
Obj-Admins, Obj-Perm-Admins and Obj-Users are "pseudo-attributes" created
for the purpose of bulk import and export of additional Permissions.
Obj-Admins corresponds to the Windows NT accounts that have Administrator
access to the object. Obj-Perm-Admins corresponds to Permissions Admin, and
Obj-User to User permissions.
The following is an example of a default export CSV header with the
Permissions pseudo-attribute fields added to it:
Obj-Class,First Name,Last name,Display Name,Alias Name,Directory
Name,Primary Windows NT Account,Home-Server,E-mail address,E-mail
Addresses,Members,Obj-Container,Hide from AB,Obj-Admins,Obj-Perm-
Admins,Obj-Users
The above header may be copied and used in a .CSV file. To do this:
- Open Notepad or another plain text editor and paste the header into it.
The header should be the first and only line in the file and is intended
to be a single long line terminated with a carriage return.
- Save the file as <filename>.CSV and exit Notepad.
- In Exchange Administrator, select Tools.Directory Export, and export to
the file you just created.
Additional Notes- Windows NT account information should be entered in the .CSV file in this
format:
domain-name\user-name%domain-name>\user-name2 . . .
- You can delete all the Windows NT Accounts assigned Permissions Admin,
Admin, or User rights on the object by inserting ~DEL into the
appropriate field of an import file. This does not delete the
permissions of the Primary Windows NT Account for a mailbox or the
permissions of the Owner for a distribution list.
- If you enter an invalid Windows NT account in an import file, it is
ignored. You cannot add permissions for Windows NT accounts that do not
exist or that cannot be currently validated by a Windows NT domain
controller.
- Custom and Send As permissions cannot be exported, imported, or deleted
through bulk import. They are invisible to the export/import process. If
you inadvertently import the same Windows NT account under two or more
permissions headings, the permissions granted to the account will be
additive and will cause the account to show Custom permissions. For
example, if you import the same account in both the Obj-Admins and Obj-
Users fields, the account will have both administrative and mailbox
read/send permissions. After this happens, you can no longer affect the
account through import/export but must manage the account through the
Exchange Administrator interface.
| Modification Type: | Minor | Last Reviewed: | 4/28/2005 |
|---|
| Keywords: | kbhowto KB188628 |
|---|
|