XADM: Using Local Groups to Assign Permissions in Exchange

 Last reviewed: April 3, 1997
Article ID: Q149362

SUMMARY

Windows NT local groups should not be used for purposes of permission assignment to Microsoft Exchange Site objects unless all Microsoft Exchange Servers within the Microsoft Exchange Site are on domain controllers (DC's) within the same domain.

MORE INFORMATION

The Microsoft Exchange Server Administrator program allows you to assign permissions on Microsoft Exchange objects to Windows NT local groups defined on the DC of the domain to which the Microsoft Exchange Server belongs. The use of local groups can be a handy way of simplifying permissions assignment in certain cases. However, local groups must not be used to assign permissions in Microsoft Exchange unless all of the Microsoft Exchange Servers within the Microsoft Exchange Site are DC's within the same Windows NT domain.

The reason why local groups will not work when any Microsoft Exchange Server is not on a DC is straightforward: Local groups under Windows NT are valid for permissions assignment only for the computers upon which the groups were defined. In the case of a DC, local groups defined on one DC are valid for permissions assignment on all DC's in the domain (because all DC's in a given domain share the same security database). However, local groups defined on a member server are valid only for use upon the server itself because the security database of a member server is unique to that computer. As a result of this, if local groups defined on a DC are used to assign permissions on a member server, the permissions thus defined cannot be validated on that member server because it does not have full access to the security database of the DC. The local groups are recognized, but permissions assigned to them will not work.

In cases where local groups may be safely used, Microsoft Exchange enumerates local groups on the DC of the Microsoft Exchange Server domain in the permissions dialog box. However, you should take care not to use local groups for permissions assignment if all of the Microsoft Exchange Servers in your site are not on DC's within the same domain.

For maximum compatibility with any future changes you may make to your Microsoft Exchange Site configuration, you should avoid the use of local groups for permissions assignments entirely.

Additional query words:
Keywords : kbusage XADM
Version : 4.0 5.0
Platform : WINDOWS

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: April 3, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.