XADM: Information Store Does Not Set Permissions Correctly on Public Web Store Folders

Article ID: 296937 - View products that this article applies to.
This article was previously published under Q296937
Expand all | Collapse all

SYMPTOMS

Permissions on public Web store folders may be changed when a new user is added and granted all permissions. The user may lose Owner, Deleted Child, and Contacts capabilities. This affects not only the new user, but also other users that had full inherited permissions on that folder.
Back to the top | Give Feedback

CAUSE

This problem occurs because certain rights are not applicable to the Exchange 2000 information store security model. When an administrator uses Exchange System Manager to assign these rights to a user, the information store does not update the Access Control Entry (ACE) for these rights. The information store also evaluates the inherited rights for other users on the object, and then updates the ACE to indicate only the applicable rights. As a result, the full permissions ACE is changed to special permissions.

The following rights are not applicable to the Exchange 2000 information store security model:
  • The fsdrightOwner(owner) right is a pseudo-right for Exchange compatibility and is actually based on write property; Exchange does not use this right and simply uses the write property for this right.
  • The fsdrightReserved1 (delete child) right is ignored by the information store. This right is used by Microsoft Windows NT to override the permissions that exist in a folder, which is done at the kernel level. Because of the administrative rights that can be set through Exchange, this bit is not needed and is only provided for compatibility with installable file system (IFS).
  • The fsdrightContact right is another pseudo-right for Exchange compatibility; this right has no security semantics in the information store.
Back to the top | Give Feedback

RESOLUTION

To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
301378
(http://support.microsoft.com/kb/301378/EN-US/ )
XGEN: How to Obtain the Latest Exchange 2000 Server Service Pack
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 2.
Back to the top | Give Feedback

MORE INFORMATION

In Exchange 2000, the information store uses the Windows NT security model, instead of using its own security model. Access checking in Exchange 2000 is performed by using Windows NT functions and objects. As a result, there are instances in which Windows NT orders ACEs in one way, but Exchange 2000 uses a different ordering scheme so that the ACEs behave in the same manner that they did in earlier versions of Exchange Server.

The Microsoft Web Storage System software development kit (SDK) also documents this functionality.
Back to the top | Give Feedback

Properties

Article ID: 296937 - Last Review: February 19, 2007 - Revision: 1.4
APPLIES TO
  • Microsoft Exchange 2000 Server Standard Edition
Keywords: 
kbbug kbexchange2000presp2fix kbexchange2000sp2fix kbfix kbprb KB296937
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top