Exchange System Manager Displays Delegated User Permissions Differently on Windows 2000 and on Windows Server 2003 (820282)


The information in this article applies to:

  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange 2000 Server
  • the operating system: Microsoft Windows Server 2003
  • the operating system: Microsoft Windows 2000

SYMPTOMS

When you view the permissions that are assigned to an Exchange Server 2003 user by using Exchange System Manager on a computer that is running Windows 2000 and then view the same user permissions on a computer that is running Windows Server 2003, the permissions are displayed differently.

When you view a user in Windows Server 2003, the check boxes for the Allow and Deny permissions are unavailable, but they are not selected. The unavailable check boxes that are not selected indicate that the permissions are inherited from a higher level. These unavailable check boxes do not allow you to select Allow or Deny.

When you view the same user in Windows 2000, the check boxes for the Allow and Deny permissions appear active and you can select Allow or Deny. In Windows 2000 you can explicitly override the permissions, while the unavailable check boxes in Windows Server 2003 prevent you from explicitly overriding inherited permissions.

For example, if you give UserA both Allow and Deny for the Send As permission, the access control list (ACL) in the Exchange System Manager user interface appears as follows:

Windows 2000

Send As - Allow is selected and unavailable, and Deny is not selected

Windows Server 2003

Send As - Allow is selected, Deny is selected, and both are unavailable.

STATUS

This behavior is by design.

MORE INFORMATION

Windows Server 2003 includes a change from earlier versions of Windows in the way that inherited user permissions appear in the Exchange System Manager user interface. On Windows Server 2003, Exchange System Manager shows all the access control entries (ACE) or permissions that are assigned to a user when it displays a user's access control list (ACL). In the example provided in the Symptoms section, the ACL on Windows Server 2003 displays both permissions because the user has both permissions. When you configure an ACL during setup or by using an administrative tool, this is how the ACL will appear in the Exchange System Manager user interface on Windows Server 2003.

ACLs are designed in this manner to prevent the lists of ACEs from growing to large sizes. For example, if you use Delegation of Control Wizard to delegate UserA as an Exchange Full Administrator at the organization level, the wizard grants UserA Full control; however the Send As and Receive As permissions must not be given to UserA. Note that Full control already includes the Send As and Receive As permissions.

To prevent the ACL from becoming too large, the wizard uses three ACEs:
  • Allow Full Control
  • Deny Send As
  • Deny Receive As
This results in both an Allow and a Deny for the Send As and Receive As permissions. This is functionally sufficient because Deny always overrides Allow. Windows Server 2003 displays both these permissions as selected. If the Delegation of Control Wizard did not use the Full control permission combined with the denials, many more ACEs would be required.

To explicitly override permissions that are inherited from Windows Server 2003, click Advanced on the Security tab when you configure the properties of the user's mailbox store in Exchange System Manager.
Modification Type:MinorLast Reviewed:11/10/2005
Keywords:kbprb KB820282 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.