Tip

Permissions and 'mixed mode' don't always mix, part 1

You shouldn't feel like a misfit if you are in a mixed Exchange environment.

Microsoft Exchange 2000 and Exchange 2003 both use AD. Although Exchange 5.5 is not AD aware, Exchange 2000 and 2003 are backward compatible to it through something called mixed mode.

Although a properly configured mixed-mode environment can function just about as well as an Exchange Server 2000 or 2003 native mode environment, there are a few features that you won't have access to within mixed mode. And there are some real gotchas when it comes to permissions. In fact, permissions can be particularly tricky when it comes to Exchange's public folders.

The problems stem from differences in the ways in which Exchange 5.5 and Exchange 2000 and 2003 store permissions. The actual permissions mechanisms are intricate. In a nutshell, Exchange 5.5 public folders do not have an Access Control List (ACL) property associated with them. Instead, the ACLs are stored in an ACL identifier table that must cross reference an ACL member table.

Meanwhile, Exchange 2000 and 2003 work differently. In Exchange 2000 and 2003, mailboxes are not separate objects, but attributes of a user account. Therefore, public folder permissions are based on the user account security identifiers (SIDs) rather than table entries.

So what does all this mean? Any time public folder permissions are set or modified, Exchange has to make a conversion between the two permission schemes. This is where the problems start. Many

    Requires Free Membership to View

administrators have found that although installing a newer version of Exchange into an Exchange 5.5 environment initially works well, most users lose public folder access once those folders are replicated to the new Exchange server.

This happens because of differences between the permissions. If even one user has permissions to a public folder on an Exchange 5.5, but does not have a corresponding AD account, then Exchange will remove all permissions to the folder for everyone except for the folder's owner. So unless a user happens to own the public folder, the folder will look like it doesn't exist. In truth, the folder does still exist, but the user can't see it.

The best way to get around this problem is through careful planning. Prior to installing Exchange 2000 or Exchange 2003, you need to verify that any user who has an Exchange mailbox also has an account within the AD. Once you are relatively confident that all mailboxes have corresponding AD accounts, you should run a DS/IS Consistency Adjustment just to make absolutely sure.

Read part two where I explain how to run a DS/IS Consistency Adjustment.


Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Do you have a useful Exchange tip to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

This was first published in June 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.