Flag Settings for Privileged Access

The preceding sample code contains calls to the IExchangeManageStore::CreateStoreEntryID and IMAPISession::OpenMsgStore methods. The following flags should be passed in these function calls.

Flags Used with IExchangeManageStore::CreateStoreEntryID

OPENSTORE_USE_ADMIN_PRIVILEGE Grants temporary user rights to an application for the specified information store if the application already has Admin privilege on the information store. It allows the application to act as owner of the store, but it does not log on to the mailbox under the mailbox owner identity. Passing this flag causes a security event to be written to the event log. It is normally used in conjunction with OPENSTORE_TAKE_OWNERSHIP.

OPENSTORE_TAKE_OWNERSHIP Opens the store with Ownership privilege. When an application specifies this flag, it accesses the store under the identity of the store’s owner. Passing this flag causes a security event to be written to the event log.

Flags Used with IMAPISession::OpenMsgStore

MDB_NO_DIALOG Prevents display of logon dialog boxes. If this flag is set, the error value MAPI_E_LOGON_FAILED is returned when logon is unsuccessful. If this flag is not set, the information store provider can prompt the user to correct a name or password, insert a disk, or perform other actions necessary to establish connection to the store. Pass this flag to avoid these prompts during an automated process.

MDB_NO_MAIL Indicates the information store should not be used for sending or receiving mail. The flag signals MAPI not to notify the MAPI spooler that this information store is being opened.

Important Because an active spooler can cause unexpected results in a mailbox you have opened with privileged access, it is very important to pass the MDB_NO_MAIL flag when you call IMAPISession::OpenMsgStore.

MDB_TEMPORARY Instructs MAPI that the store is not to be added to the message-store information table and that the store cannot be made permanent.

MAPI_BEST_ACCESS Indicates the object should be opened with the maximum network permissions allowed for the user and the maximum client application access. For example, if the client has read/write access, the object is opened with read/write access; if the client has read-only access, the object is opened with read-only access. The client can retrieve the access level by getting the PR_ACCESS_LEVEL property.