The effective permissions a user can exercise on a directory object are the sum of two types of permissions:
Although a user account automatically inherits any additional permissions that the account also has on the object’s parent object, the inheritance doesn’t end at the parent object. It continues up the directory tree within the object’s naming context.
In the Microsoft Exchange Server DIT, a naming context is a subtree that starts at one object (the naming context master object) and is bounded by leaf objects or the start of another naming context.
The permissions an object inherits from above in the DIT hierarchy are limited by naming context master objects. That is, objects below these master objects in the DIT do not inherit user-account permissions from objects above them in the DIT hierarchy.
The four kinds of naming context master objects are all container objects. They are listed in the following table.
Naming Context Master Objects
Designation | Object |
---|---|
NC1 | Organization container |
NC2 | Site container |
NC3 | Configuration container |
NC4 | Schema container |
The use of naming contexts lets administrators more easily tailor the security structure of the DIT, allowing a single Windows NT account to have one set of permissions at a higher level (such as an organization) and a different set at a lower level (such as a site).
For example, in the following diagram, the One-Off Address Templates object resides in the Addressing container below the Configuration container of the site called NAmerica-W. In this example, a Windows NT user account has the role of User on the One-Off Address Templates object, the role of Admin on the Addressing container, and the role of Service acct admin on the NAmerica-W site object.
Roles on objects
The effective permissions for this user on the One-Off Address Templates object are:
In this way, a user with broad permissions on an object high in the DIT hierarchy (such as the NAmerica-W object) does not automatically have access to all the information in the individual sites.