XADM: Security Permissions Change When You Move a Database File to Another Folder (329597)

WORKAROUND

To work around this problem, verify the Access Control List (ACL) entries of the database files after you move them. You can use Windows Explorer or the Cacls.exe command-line utility to re-assign security permissions. The following security permissions are assigned to the Exchange database files in a default installation:

NT AUTHORITY\Authenticated Users: Read permissions
BUILTIN\Server Operators: Change permissions
BUILTIN\Administrator: Full Control permissions
NT AUTHORITY\SYSTEM: Full Control permissions

To view these permissions, you can use the Cacls.exe command-line utility. For example, you might use the cacls "c:\program files\exchsrvr\mdbdata\priv1.stm" command.

MORE INFORMATION

When you run the Cacls.exe command before you move the database file, the following list of default permissions may be returned:

NT AUTHORITY\Authenticated Users:R
BUILTIN\Server Operators:C
BUILTIN\Administrator:F
NT AUTHORITY\SYSTEM:F

However, when you next run the Cacls.exe command after you move the database to a folder where everyone has full control permissions, a list of permissions similar to the following may be displayed:

Everyone:F

309718 XADM: Account Operators Can Obtain Access to All of the Mailboxes

282496 XADM: Considerations and Best Practices When Resetting an Exchange Mailbox Database

For more information about security and Exchange 2000, view the following Microsoft Web sites:

About Access Control Lists

Security Operations Guide for Exchange 2000 Server

XADM: Security Permissions Change When You Move a Database File to Another Folder (329597)

SYMPTOMS

CAUSE

WORKAROUND

STATUS

MORE INFORMATION