Access control lists in Exchange public folders (330508)

SUMMARY

This article describes how permissions have been simplified in Exchange 2000 Server and Exchange Server 2003.

Access Control Lists (ACLs) in Exchange

ACLs in Exchange are stored directly as a folder property, ptagNTSD, which holds the NT Security Descriptors of the users or groups that can access the folder.

Mailboxes in Exchange are no longer separate from the user. Therefore, instead of allowing access to a folder based on the domain name of the mailbox, Exchange controls access to folders based on the Microsoft Windows NT Security ID of the user who is logged on, which is similar to the way the NTFS file system (NTFS) handles its access control. This is very important. Most of the problems with users who cannot access or see folders are caused by problems with the Windows NT Security ID. This can be especially dangerous in mixed Exchange Server 5.5 and Exchange 2000 or Exchange 2003 environments.

New ACL Property Tags

Exchange 2000 has introduced two additional property tags (ptags) for storing security information (Exchange 2003 retains these ptags):

ptagNTSD (PR_NT_SECURITY_DESCRIPTOR) This is the new, richer ACL set that is used by Exchange 2000. The permissions map closely to the NTFS permission set. All the folders on Exchange 2000 have this property.
ptagAdminNTSD (PR_ADMIN_SECURITY_DESCRIPTOR) These are the Administrator permissions on a folder. By default, they are not set on individual folders, but are inherited from the root folder. However, if you set specific Administrator permissions on a folder, this property is added and replicated with that folder.

Viewing ACLs in Exchange System Manager

If the folder is a MAPI folder, the MAPI-like permissions are displayed when you view the client permissions.

To view the "raw" NT Security Descriptor (NTSD) permissions on a MAPI folder:

Open Exchange System Manager, and then select the MAPI folder that you want to view.
Press and hold the CTRL key, and then click Permissions.

Note Non-MAPI folders (Application TLH folders) always show the raw NTSD permissions.

Do not use Windows Explorer or press the CTRL key and then click Permissions in Exchange System Manager (the procedure to view permissions that is described in this article) to set MAPI folder permissions. If you do so, you may lose the ability to modify the permissions through MAPI clients and Exchange System Manager.

MAPI Permissions Problems

In the MAPI top-level hierarchy (TLH), you cannot mix the tools that you use to set permissions on folders. MAPI-aware tools such as Exchange System Manager or Microsoft Outlook set MAPI TLH permissions themselves. If you set the permissions by using Windows Explorer or you set the permissions in Exchange System Manager when you view the NTSD permissions, you may break the MAPI permissions on the folder and you can no longer modify the permissions through MAPI. If clients try to modify the permissions, they may receive the following error message:

Invalid Window Handle
ID no: 80040102
Exchange System Manager

MORE INFORMATION

To view the client permissions on a folder, including the owner of the folder:

Open Exchange System Manager, and then select a public folder.
Click Properties, and then click Client Permissions.

When you click Client Permissions in Exchange System Manager or set client permissions by using the Outlook client, the MAPI ACL Editor starts.

However, if you press and hold the CTRL key while you click Properties of the public folder in Exchange System Manager, and then click Client Permissions, you obtain the NTSD for the Owner instead of the MAPI permissions. When you press and hold the CTRL key, and then click Client Permissions, the Windows NT ACL Editor starts.

You can view the same information by viewing the NT Security Descriptors for the public folder in drive M. These are the raw NTSD permissions on a MAPI folder.

Although in Exchange 2000 and later, you can set security on public folders in the public folder hierarchy by using Exchange System Manager, Outlook, and the Windows 2000 version of Windows Explorer, these tools are not interchangeable. Windows Explorer uses the Windows 2000 ACL format to set security permissions (NTSD permissions) on the MAPI public folder hierarchy, but Exchange System Manager and Outlook use the MAPI ACL format. Microsoft Web Storage System can correctly interpret both ACL formats, but the tools are not interchangeable because when you change the permissions settings on a MAPI public folder by using the MAPI ACL Editor in Exchange System Manager or Outlook), the changes that you make are written to the Exchange Installable File System. In contrast, if you using the Windows NT ACL Editor to change the permissions settings on a MAPI public folder (by pressing the CTRL key, and then clicking Client Permissions, or directly from drive M through Windows Explorer), the Exchange Installable File System does not write back the MAPI permissions.

Because the tools are not interchangeable, if you modify the NSTD permissions of a MAPI public folder by pressing the CTRL key and then clicking Client Permissions in the Windows NT ACL editor, you can no longer set client permissions for public folders by using ESM or Outlook. Microsoft strongly recommends that you use only Exchange System Manager or the Outlook client to edit security on the MAPI public folder hierarchy. For additional information about how to resolve the problems that can occur when you modify the NTSD on permissions for Exchange 2000 MAPI public folders (in other words, when you use Windows Explorer on drive M to modify the permissions), click the following article number to view the article in the Microsoft Knowledge Base:

313333 XADM: Error Message When You Set Permissions on Public Folders: Invalid Windows Handle ID No: 80040102 Exchange System Manager

Note This problem does not occur on general purpose public folder hierarchies (also called application folder hierarchies).