Permissions and 'mixed mode' don't always mix, part 1

Microsoft Exchange 2000 and Exchange 2003 both use AD. Although Exchange 5.5 is not AD aware, Exchange 2000 and 2003 are backward compatible to it through something called mixed mode.

Although a properly configured mixed-mode environment can function just about as well as an Exchange Server 2000 or 2003 native mode environment, there are a few features that you won't have access to within mixed mode. And there are some real gotchas when it comes to permissions. In fact, permissions can be particularly tricky when it comes to Exchange's public folders.

The problems stem from differences in the ways in which Exchange 5.5 and Exchange 2000 and 2003 store permissions. The actual permissions mechanisms are intricate. In a nutshell, Exchange 5.5 public folders do not have an Access Control List (ACL) property associated with them. Instead, the ACLs are stored in an ACL identifier table that must cross reference an ACL member table.

Meanwhile, Exchange 2000 and 2003 work differently. In Exchange 2000 and 2003, mailboxes are not separate objects, but attributes of a user account. Therefore, public folder permissions are based on the user account security identifiers (SIDs) rather than table entries.

So what does all this mean? Any time public folder permissions are set or modified, Exchange has to make a conversion between the two permission schemes. This is where the problems start. Many administrators have found that although installing a newer version of Exchange into an Exchange 5.5 environment initially works well, most users lose public folder access once those folders are replicated to the new Exchange server.

This happens because of differences between the permissions. If even one user has permissions to a public folder on an Exchange 5.5, but does not have a corresponding AD account, then Exchange will remove all permissions to the folder for everyone except for the folder's owner. So unless a user happens to own the public folder, the folder will look like it doesn't exist. In truth, the folder does still exist, but the user can't see it.

The best way to get around this problem is through careful planning. Prior to installing Exchange 2000 or Exchange 2003, you need to verify that any user who has an Exchange mailbox also has an account within the AD. Once you are relatively confident that all mailboxes have corresponding AD accounts, you should run a DS/IS Consistency Adjustment just to make absolutely sure.

Read part two where I explain how to run a DS/IS Consistency Adjustment.

Do you have a useful Exchange tip to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Migration Tips Virtualizing Exchange Server 2007 with Microsoft's Hyper-V Slipstreaming Microsoft Office 2007 deployments Finding the best tool to migrate Exchange public folders to SharePoint Migrating antispam settings from Exchange 2003 to Exchange 2007 Migrating resource mailboxes from Exchange 2003 to Exchange 2007 Methods for moving mailboxes and public folders to Exchange 2007 Exchange 2007 prerequisites and custom server role installation Managing Exchange 2003 and Exchange 2007 in mixed mode Testing Exchange Server 2007 on a virtual machine What's missing from Exchange Server 2007 Exchange Security Tips Why you should secure Exchange 2007 using administrative policies Microsoft Exchange Server security dos and don'ts Create a journal rule in Exchange 2007 to secure journaling mailboxes How to protect an Exchange journaling mailbox from email spoofing Lock down Microsoft Outlook 2007 to prevent .PST file access Using Exchange Server journaling as an email-archiving solution Use the OWA Admin tool to 'segment' Outlook Web Access 2003 features Why are .PST files a security threat to Exchange Server mailboxes? OWA won't load after applying Exchange 2007 SP1 security patch Minimize remote and mobile Outlook Web Access (OWA) security risks Exchange Server Deployment and Migration Advice Keeping the old server name after migrating to Exchange Server 2003 Troubleshooting a 64-bit Exchange Server 2007 installation Can't create Exchange Server 2007 mailboxes on a second subdomain How to move Exchange 2000 to new server hardware Can OWA 5.5 users access email from Exchange Server 2003? How to virtualize Exchange Server 2003 Migrating mailboxes from Exchange Server 5.5 to Windows SBS 2003 Slipstreaming Microsoft Office 2007 deployments How to keep a copy of migrated Exchange mailboxes on original server What is Windows Server 2008's impact on an Exchange 2007 migration? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary rehoming  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.