Inheritance of Permissions

The effective permissions a user can exercise on a directory object are the sum of two types of permissions:

Although a user account automatically inherits any additional permissions that the account also has on the object’s parent object, the inheritance doesn’t end at the parent object. It continues up the directory tree within the object’s naming context.

Naming Contexts

In the Microsoft Exchange Server DIT, a naming context is a subtree that starts at one object (the naming context master object) and is bounded by leaf objects or the start of another naming context.

The permissions an object inherits from above in the DIT hierarchy are limited by naming context master objects. That is, objects below these master objects in the DIT do not inherit user-account permissions from objects above them in the DIT hierarchy.

The four kinds of naming context master objects are all container objects. They are listed in the following table.

Naming Context Master Objects

Designation Object
NC1 Organization container
NC2 Site container
NC3 Configuration container
NC4 Schema container

Using Naming Contexts to Determine Permissions

The use of naming contexts lets administrators more easily tailor the security structure of the DIT, allowing a single Windows NT account to have one set of permissions at a higher level (such as an organization) and a different set at a lower level (such as a site).

For example, in the following diagram, the One-Off Address Templates object resides in the Addressing container below the Configuration container of the site called NAmerica-W. In this example, a Windows NT user account has the role of User on the One-Off Address Templates object, the role of Admin on the Addressing container, and the role of Service acct admin on the NAmerica-W site object.

Roles on objects

The effective permissions for this user on the One-Off Address Templates object are:

In this way, a user with broad permissions on an object high in the DIT hierarchy (such as the NAmerica-W object) does not automatically have access to all the information in the individual sites.