Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. XADM: Delegate Rights Do Not Behave Consistently Between Domains

XADM: Delegate Rights Do Not Behave Consistently Between Domains

View products that this article applies to.

Symptoms

When you are configuring delegate rights to mailbox user accounts, the delegate rights do not consistently behave as you expect. Your environment may be configured similar to the following:
There are two Exchange Server computers, ServerA and ServerB.
Each server resides in a different Microsoft Windows NT domain or Microsoft Windows 2000 forest.
The domains are configured with a two-way trust relationship. If you are using forests, the forests are trusted.
You are configuring permissions for three mailbox users. Two of the users, User1 and User2, reside on ServerA. User3 resides on ServerB.

If you want User3 to have delegate access to User1 through User2, do the following:
1.Disable User1.
2.Grant User3 full mailbox access and associated external account rights on User1.
3.Log on as User2, and then grant User1 delegate access to a folder.
4.Log on as User3, and then try to access the folder on User2.
This procedure is successful. However, if you invert steps 2 and 3, User3's access to User2's folder will fail.

Note You can only assign the associated external account right to accounts that reside in different forests or directory databases. Similarly, you can only assign delegate access to users who reside in the same forest or directory database.

↑ Back to the top

Cause

This issue occurs because of the way Exchange writes the security identifier (SID) during delegation.

When you assign delegate rights, the SID of the user delegated (User1 in this case), is written to the access control list (ACL) of the user who is granting the delegation (User2). However, if the associated external account rights are assigned to the delegating user before the delegation, the SID of the user who has the associated external account right is written to the ACL during delegation. In this case, that user is User3.

The result is that the SID of User3 is written to the ACL of User2. Therefore, User3 has access to User2's folder through the delegate designation that is assigned to User1. However, if the delegation was completed before the associated external account right was granted to User3, User1's SID would be written to User2's ACL. In this scenario, User3 would not have access to User2's folder.

Note Permissions established before the Associated external account right is given are not changed.

↑ Back to the top

Keywords: KB812296, kbinfo

↑ Back to the top

Article Info
Article ID : 812296
Revision : 5
Created on : 2/28/2007
Published on : 2/28/2007
Exists online : False
Views : 187