Changing Permissions on Shared Directories Created During Setup

When Microsoft Exchange Server is installed, Setup creates several shared directories so that other Microsoft Exchange Server computers can have access to the files in the directories. By default, Setup sets permissions for these directories that are usually sufficient for most organizations. However, you can change the permissions if those default permissions do not give the files enough protection against attacks by unauthorized users.

Caution   Change permissions on these directories only if it is necessary because the changes could damage your Microsoft Exchange Server system.

Setup creates the shared directories shown in the following table.
Directory Description
Add-ins Contains files that the Microsoft Exchange Server Administrator program uses to display information about connectors. This directory is shared as Add-ins.
Address Contains files for creating e-mail addresses. This directory is shared as Address.
Connect Contains files for Microsoft Exchange Server connectors. This directory is a hidden share that is shared as connect$.
Connect\Msmcon\Maildata Contains files used for Microsoft Mail. This is a hidden share that is available only if the Microsoft Mail Connector is installed. It is shared as maildat$.
Res Contains files, such as logs for Event Viewer and Microsoft Windows NT Performance Monitor, used by the local computer and remote computers. This directory is shared as resources.
Tracking.log Contains files used for message tracking. This directory is shared as tracking.log.

The permissions granted to these directories are shown in the following table.
Permission Type of access
Everyone Read (except for Maildata, which has full control)
Service account Full control
Local administrators Full control

To restrict access to the shared directories, remove the Everyone permission and grant permissions to specific accounts using File Manager. Use the following guidelines for restricting access on shared directories: