You can control access to objects in the directory by using the Administrator program to assign roles to Microsoft Windows NT Server user accounts and groups. Roles are sets of permissions that are provided in Microsoft Exchange Server for the purpose of administrative convenience. They define how much and what type of access a user or group has to an object. For example, the Administrator role gives administrators a number of permissions that help them perform their daily tasks. You can define custom roles, or you can use the following default roles provided with Microsoft Exchange Server:
Each role is defined by a set of permissions, and permissions define the specific actions that a particular user account or group can perform on an object. For example, the Delete permission grants the ability to delete an object. The permissions associated with each role are shown in the following table.
|
Permission |
Admin Role |
Permissions Admin Role |
Service Account Admin Role |
View Only Admin Role |
User Role |
Send As Role |
Search Role |
| Add Child | X | X | X | ||||
| Modify User Attributes | X | X | X | X | X | ||
| Modify Admin Attributes | X | X | X | ||||
| Delete | X | X | X | ||||
| Logon | X | X | X | X | |||
| Modify Permission | X | X | |||||
| Replication | X | ||||||
| Mailbox Owner | X | X | |||||
| Send As | X | X | X | ||||
| Search | X |
You can grant permissions to groups of users as well as to individual user accounts. Permissions are also granted to Microsoft Exchange Server services. Most permissions apply only to the Microsoft Exchange Server Administrator program; however, some permissions, such as Modify User Attribute, can apply to Microsoft Outlook. The following table provides descriptions of the Microsoft Exchange Server permissions.
| Permission | Description |
| Add Child | Creates objects below the selected object in the directory hierarchy. For example, if a user has this permission for the Recipients container, that user can create mailboxes in that container. |
| Modify User Attributes | Modifies user-level attributes associated with an object. For example, a user with this permission can modify the members of a distribution list. |
| Modify Admin Attributes | Modifies administrator-level attributes associated with an object. For example, a user with this permission can modify the job title and display name fields in a mailbox. |
| Modify Permission | Modifies permissions for existing objects. For example, without this permission, a user can grant permissions for new mailboxes but cannot modify permissions for existing ones. |
| Delete | Deletes objects. |
| Send As | Sends messages with the recipient's return address. For example, all users have this permission for their own mailboxes so that they can send messages with that mailbox's return address. This permission is also granted for server objects in the directory to the service account so that directory service processes can send messages to each other. |
| Mailbox Owner | Reads and deletes messages in this mailbox. This permission is also granted to the service account for server objects in the directory, so that directory processes can send messages to each other. |
| Logon Rights |
Grants access to the directory. Users need this permission to use the Administrator program. Services also need this permission. |
| Replication | Replicates directory information with other servers. This permission is required by the Microsoft Exchange Server service account to replicate with other servers. |
| Search | Enables the selected user account to view the contents of the container. This permission is useful for restricting access to Address Book View containers. For more information about using the Search permission with Address Book views, see Microsoft Exchange Server Operations. |