Working with Associated Windows NT Accounts

Using the Microsoft Exchange Server Administrator program, you can set or change the Windows NT account associated with a Microsoft Exchange mailbox. You make this setting on the General property page for the Recipient object, using the Primary Windows NT Account button.

Setting the Primary Windows NT Account has these results:

• It determines the Windows NT security account that will have mailbox owner permissions on the mailbox. These directory permissions are granted only within the directory on the mailbox object for the security account, and are unrelated to the Windows NT security privileges held by that account.
• It links the Windows NT security account to the mailbox object. This allows for linked administration of the mailbox and the security account, but has no affect on the account's Windows NT security privileges.

Windows NT security privileges are granted or denied to Windows NT security accounts through the data structure known as a Windows NT security descriptor. It describes specific object-access permissions granted to specific security accounts. For example, a mailbox's Primary Windows NT Account — identified by the Assoc-NT-Account attribute — has its own entry in the NT Security Descriptor, which in turn is stored in the NT-Security-Descriptor attribute.

The Assoc-NT-Account attribute does not contain the security account's textual name, but rather a binary string known as a security identifier (SID). Every object in the Windows NT Security Domain has a SID, and most, such as Windows NT user accounts, also have names — for example, REDMOND\fredb.

The directory access functions provide a mapping between the text name of the security account and the binary SID. The BatchImport and DAPIWrite functions accept a Windows NT Account name and call the Win32 function LookupAccountName to obtain a SID. BatchExport and DAPIRead obtain the account name by calling the Win32 LookupAccountSid function . For more information, see About Directory Security.

Using the Primary Windows NT Account Attribute

You can also work with the Primary Windows NT Account value programmatically. To do this with directory access functions, you would look up (export) or change (import) the Assoc-NT-Account attribute. With MAPI, this attribute is accessible as the PR_EMS_AB_ASSOC_NT_ACCOUNT property.

Making Security Settings with the Directory Access Functions

When a Primary Windows NT account is assigned to a mailbox, the directory access functions automatically modify the underlying security attribute (NT-Security-Descriptor) to grant mailbox owner rights to the account. This permissions change can take effect only if the application calling directory access functions is running under an account that has a role of Permissions Admin, rather than just Admin.

The directory access functions do not allow complete manipulation of security settings. For example, while you can use the directory access pseudo attributes to assign roles like User, Admin, and Permissions Admin, you cannot set the arbitrary rights combinations that you could set from the Administrator program.

You can, however, import an NT-Security-Descriptor setting, but only when using directory access raw mode. That is, you can build a Windows NT security descriptor using standard Windows NT security functions (such as LookupAccountSid), but to place it in the NT-Security-Descriptor attribute you need to call a directory access import function (BatchImport or DAPIWrite) with the DAPI_RAW_MODE control flag set. If you are attempting to set the security descriptor, it will need to be a self-relative security descriptor. (For more information on absolute and self-relative security descriptors, see Security Descriptors in the Microsoft Platform SDK.)

Making Security Settings with MAPI

If you have used MAPI to set the PR_EMS_AB_ASSOC_NT_ACCOUNT property, you will need to grant mailbox owner rights as well. Because this attribute on its own does not grant rights, the main underlying security attribute (PR_EMS_AB_NT_SECURITY_DESCRIPTOR) must also be updated to specify the rights you want the mailbox owner to have.

You will now need to add the account to the Windows NT security descriptor with the correct ACCESS_MASK structure.

To add a new Windows NT account to the Windows NT security descriptor

This simplified procedure contains the basic steps for adding a Windows NT account. For more complete information, see the Platform SDK documentation, including the overview of Windows NT security.

Before you begin, you need to know the Windows NT account name (or SID), the name of the security domain the account will be a member of, and the permissions to be granted to the account.

1. If you do not already know the SID for the account in the appropriate security domain, obtain it by calling the Win32 security function LookupAccountName.
2. Place this SID with the appropriate rights in an access control entry (ACE) in an access control list (ACL) in a security descriptor.

   In order to grant or revoke specific permissions to given Windows NT Accounts, you need to set the correct bits in the ACCESS_MASK structure in the access control entry when you build the security descriptor. For more information on the ACCESS_MASK structure, see the Win32 Structures documentation in the "Reference" section of the Microsoft Platform SDK.

3. Convert this security descriptor into self-relative form (so that all members of the Win32 SECURITY_DESCRIPTOR structure are located contiguously in memory) for storage on the PR_EMS_AB_NT_SECURITY_DESCRIPTOR property.