XADM: Delegate Rights Do Not Behave Consistently Between Domains (812296)


The information in this article applies to:

  • Microsoft Exchange 2000 Server

SYMPTOMS

When you are configuring delegate rights to mailbox user accounts, the delegate rights do not consistently behave as you expect. Your environment may be configured similar to the following:
  • There are two Exchange Server computers, ServerA and ServerB.
  • Each server resides in a different Microsoft Windows NT domain or Microsoft Windows 2000 forest.
  • The domains are configured with a two-way trust relationship. If you are using forests, the forests are trusted.
You are configuring permissions for three mailbox users. Two of the users, User1 and User2, reside on ServerA. User3 resides on ServerB.

If you want User3 to have delegate access to User1 through User2, do the following:
  1. Disable User1.
  2. Grant User3 full mailbox access and associated external account rights on User1.
  3. Log on as User2, and then grant User1 delegate access to a folder.
  4. Log on as User3, and then try to access the folder on User2.
This procedure is successful. However, if you invert steps 2 and 3, User3's access to User2's folder will fail.

Note You can only assign the associated external account right to accounts that reside in different forests or directory databases. Similarly, you can only assign delegate access to users who reside in the same forest or directory database.

CAUSE

This issue occurs because of the way Exchange writes the security identifier (SID) during delegation.

When you assign delegate rights, the SID of the user delegated (User1 in this case), is written to the access control list (ACL) of the user who is granting the delegation (User2). However, if the associated external account rights are assigned to the delegating user before the delegation, the SID of the user who has the associated external account right is written to the ACL during delegation. In this case, that user is User3.

The result is that the SID of User3 is written to the ACL of User2. Therefore, User3 has access to User2's folder through the delegate designation that is assigned to User1. However, if the delegation was completed before the associated external account right was granted to User3, User1's SID would be written to User2's ACL. In this scenario, User3 would not have access to User2's folder.

Note Permissions established before the Associated external account right is given are not changed.
Modification Type:MinorLast Reviewed:6/13/2003
Keywords:kbinfo KB812296
©2002 Microsoft Corporation. All rights reserved.