Permissions and 'mixed mode' don't always mix, part 1

If you run a mixed-mode environment, you have challenges to deal with when it comes to permissions. This tip explains the workarounds to handle it. Part one of a two-part series.

You shouldn't feel like a misfit if you are in a mixed Exchange environment.

Microsoft Exchange 2000 and Exchange 2003 both use AD. Although Exchange 5.5 is not AD aware, Exchange 2000 and 2003 are backward compatible to it through something called mixed mode.

Although a properly configured mixed-mode environment can function just about as well as an Exchange Server 2000 or 2003 native mode environment, there are a few features that you won't have access to within mixed mode. And there are some real gotchas when it comes to permissions. In fact, permissions can be particularly tricky when it comes to Exchange's public folders.

The problems stem from differences in the ways in which Exchange 5.5 and Exchange 2000 and 2003 store permissions. The actual permissions mechanisms are intricate. In a nutshell, Exchange 5.5 public folders do not have an Access Control List (ACL) property associated with them. Instead, the ACLs are stored in an ACL identifier table that must cross reference an ACL member table.

Meanwhile, Exchange 2000 and 2003 work differently. In Exchange 2000 and 2003, mailboxes are not separate objects, but attributes of a user account. Therefore, public folder permissions are based on the user account security identifiers (SIDs) rather than table entries.

So what does all this mean? Any time public folder permissions are set or modified, Exchange has to make a conversion between the two permission schemes. This is where the problems start. Many administrators have found that although installing a newer version of Exchange into an Exchange 5.5 environment initially works well, most users lose public folder access once those folders are replicated to the new Exchange server.

This happens because of differences between the permissions. If even one user has permissions to a public folder on an Exchange 5.5, but does not have a corresponding AD account, then Exchange will remove all permissions to the folder for everyone except for the folder's owner. So unless a user happens to own the public folder, the folder will look like it doesn't exist. In truth, the folder does still exist, but the user can't see it.

The best way to get around this problem is through careful planning. Prior to installing Exchange 2000 or Exchange 2003, you need to verify that any user who has an Exchange mailbox also has an account within the AD. Once you are relatively confident that all mailboxes have corresponding AD accounts, you should run a DS/IS Consistency Adjustment just to make absolutely sure.

Read part two where I explain how to run a DS/IS Consistency Adjustment.


Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Do you have a useful Exchange tip to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

This was first published in June 2004

Dig deeper on Exchange Server Deployment and Migration Advice

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close