Inheritance of Permissions

The effective permissions a user can exercise on a directory object are the sum of two types of permissions:

The permissions the user account has on that object
The permissions the user account inherits from above. The account inherits only the permissions assigned to the same user account on object(s) above it in the directory information tree (DIT) hierarchy.

Although a user account automatically inherits any additional permissions that the account also has on the object’s parent object, the inheritance doesn’t end at the parent object. It continues up the directory tree within the object’s naming context.

Naming Contexts

In the Microsoft Exchange Server DIT, a naming context is a subtree that starts at one object (the naming context master object) and is bounded by leaf objects or the start of another naming context.

The permissions an object inherits from above in the DIT hierarchy are limited by naming context master objects. That is, objects below these master objects in the DIT do not inherit user-account permissions from objects above them in the DIT hierarchy.

The four kinds of naming context master objects are all container objects. They are listed in the following table.

Naming Context Master Objects

Designation	Object
NC1	Organization container
NC2	Site container
NC3	Configuration container
NC4	Schema container

Using Naming Contexts to Determine Permissions

The use of naming contexts lets administrators more easily tailor the security structure of the DIT, allowing a single Windows NT account to have one set of permissions at a higher level (such as an organization) and a different set at a lower level (such as a site).

For example, in the following diagram, the One-Off Address Templates object resides in the Addressing container below the Configuration container of the site called NAmerica-W. In this example, a Windows NT user account has the role of User on the One-Off Address Templates object, the role of Admin on the Addressing container, and the role of Service acct admin on the NAmerica-W site object.

Roles on objects

The effective permissions for this user on the One-Off Address Templates object are:

User permission on the One-Off Address Templates object itself, as specifically granted.
Admin permissions inherited from the Addressing object. This object is within the NC3 naming context (the Configuration object), so its permissions are inherited.
The user’s permissions on the NAmerica-W object are not inherited because the Configuration object (a naming context) interrupts the inheritance.

In this way, a user with broad permissions on an object high in the DIT hierarchy (such as the NAmerica-W object) does not automatically have access to all the information in the individual sites.