XADM: Delegate Rights Do Not Behave Consistently Between Domains (812296)
The information in this article applies to:
- Microsoft Exchange 2000 Server
SYMPTOMSWhen you are configuring delegate rights to mailbox
user accounts, the delegate rights do not consistently behave as you expect.
Your environment may be configured similar to the following:
- There are two Exchange Server computers, ServerA and
ServerB.
- Each server resides in a different Microsoft Windows NT
domain or Microsoft Windows 2000 forest.
- The domains are configured with a two-way trust
relationship. If you are using forests, the forests are trusted.
You are configuring permissions for three mailbox users. Two of
the users, User1 and User2, reside on ServerA. User3 resides on
ServerB. If you want User3 to have delegate access to
User1 through User2, do the following:
- Disable User1.
- Grant User3 full mailbox access and
associated external account rights on User1.
- Log on as User2, and then grant User1
delegate access to a folder.
- Log on as User3, and then try to access the folder on
User2.
This procedure is successful. However, if you invert steps 2 and
3, User3's access to User2's folder will fail. Note You can only assign the associated external
account right to accounts that reside in different forests or
directory databases. Similarly, you can only assign delegate
access to users who reside in the same forest or directory
database. CAUSEThis issue occurs because of the way Exchange writes the
security identifier (SID) during delegation.
When you assign
delegate rights, the SID of the user delegated (User1 in this
case), is written to the access control list (ACL) of the user who is granting
the delegation (User2). However, if the associated external
account rights are assigned to the delegating user before the
delegation, the SID of the user who has the associated
external account right is written to the ACL during delegation. In
this case, that user is User3.
The result is that the SID of User3 is
written to the ACL of User2. Therefore, User3 has access to User2's folder
through the delegate designation that is assigned to User1.
However, if the delegation was completed before the associated external
account right was granted to User3, User1's SID would be written to
User2's ACL. In this scenario, User3 would not have access to User2's
folder.
Note Permissions established before the Associated external
account right is given are not changed.
Modification Type: | Minor | Last Reviewed: | 6/13/2003 |
---|
Keywords: | kbinfo KB812296 |
---|
|