This article was previously published under Q296937
This article has been archived. It is offered "as is" and will no longer be updated.
Permissions on public Web store folders may be changed when a new user is added and granted all permissions. The user may lose Owner, Deleted Child, and Contacts capabilities. This affects not only the new user, but also other users that had full inherited permissions on that folder.
This problem occurs because certain rights are not applicable to the Exchange 2000 information store security model. When an administrator uses Exchange System Manager to assign these rights to a user, the information store does not update the Access Control Entry (ACE) for these rights. The information store also evaluates the inherited rights for other users on the object, and then updates the ACE to indicate only the applicable rights. As a result, the full permissions ACE is changed to special permissions.
The following rights are not applicable to the Exchange 2000 information store security model:
The fsdrightOwner(owner) right is a pseudo-right for Exchange compatibility and is actually based on write property; Exchange does not use this right and simply uses the write property for this right.
The fsdrightReserved1 (delete child) right is ignored by the information store. This right is used by Microsoft Windows NT to override the permissions that exist in a folder, which is done at the kernel level. Because of the administrative rights that can be set through Exchange, this bit is not needed and is only provided for compatibility with installable file system (IFS).
The fsdrightContact right is another pseudo-right for Exchange compatibility; this right has no security semantics in the information store.
To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
301378 XGEN: How to Obtain the Latest Exchange 2000 Server Service Pack
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 2.
In Exchange 2000, the information store uses the Windows NT security model, instead of using its own security model. Access checking in Exchange 2000 is performed by using Windows NT functions and objects. As a result, there are instances in which Windows NT orders ACEs in one way, but Exchange 2000 uses a different ordering scheme so that the ACEs behave in the same manner that they did in earlier versions of Exchange Server.
The Microsoft Web Storage System software development kit (SDK) also documents this functionality.