Question

Public Folder Permissions in Exchange 2007

Asked by: cuiinc

My users are having problems viewing newly created public folders if they are created by someone else.  I can create new data as a domain administrator, then log in as a DIFFERENT domain admin and not see the new data.  This appears to be a permissions problem as we only have 1 public folder store, no replicas.  Under my Public Folder Management Console, I can see all our folders, however I don't see a properties tab that includes permissions.  I can change properties through Outlook, but that doesn't seem to work.  For instance, as a domain admin, if I create a new public folder through Outlook and edit permissions to allow Everyone full ownership and access, I still can not see the public folder if I log in as a different user.  Yet the data shows up in Public Folder Management Console.  Help! :)

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-02-02 at 10:44:38ID24105660
Tags

Exchange 2007

Topic

Exchange Email Server

Participating Experts
1
Points
250
Comments
30

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Exchange 2007 Public Folders Permissions
    I'm unsuccessfully attempting to modify public folder permissions to allow a user to have full ownership access to all public folders. I read a technet article that said I can accomplish this by adding an Exchange Admministrator-Public Folder Administrator permission to the ...
  2. public folder instances lingering in Exchange 2003 after …
    i'm in process of migrating all of our Exchange 2003 mailboxes and public folders to a new Exchange 2007 server. so far everything has been going well but i've run into two snags. first: we have about 60GB of public folders on the 2003 server. i've done "move all replic...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: kevalaPosted on 2009-02-02 at 14:11:56ID: 23532022

What happens if you add permissions to the folder for someone using the management shell???

Add-PublicFolderClientPermission -Identity "\PF name" -User username -AccessRights FolderVisible -Server "servername"

Or, you can just type "Add-publicfolderclientpermission" and enter the prompts.
Note: When prompted for "Access rights0" or 1, you can hit enter twice to go to the next prompt.

The options for permission to add are:
ReadItems, CreateItems, EditOwnedItems, DeleteOwnedItems, EditAllItems, DeleteAllItems, CreateSubFolders, FolderOwner, FolderContact, FolderVisible"

 

by: cuiincPosted on 2009-02-02 at 14:25:51ID: 23532155

i've only rarely used the shell.  when i type "add-publicfolderclientpermission" what directory am i changing permissions on?  all of them?

 

by: cuiincPosted on 2009-02-02 at 14:28:53ID: 23532183

when i get to the promt "AccessRights[0]" i hit enter and it keeps giving me an Identity prompt.

 

by: kevalaPosted on 2009-02-02 at 16:47:45ID: 23533170

Yeah, that's what i was referring to by hitting enter twice. It does that in case you want to add more than one permission. You can just leave it blank, then hit enter again, and it will take you to the next prompt.

To answer the first question, it will prompt for which folder to do it on. "Identity"

 

by: cuiincPosted on 2009-02-03 at 10:05:27ID: 23540060

Kevala,
the good news is it works! so i know the issue is a permissions problem and can be solved with the "FolderVisible" permission.  the bad news is the command only works on the immediate parent level.  for example, I ran the command on "\Andrew\Customers\A - F", and users can now see this folder.  however, there are hundreds of customer folders beneath that.  is there a way to propagate the permissions?

 

by: kevalaPosted on 2009-02-03 at 11:48:00ID: 23541316

Hmm... i wonder if the permissions are missing on the parent hierarchy folder...

Are you familiar with ADSIEdit from the windows support tools?
If so, launch this, browse down to the CN=Folders\CN=Public Folders containers. Check this container and sub containers to see if permissions are inheriting down the tree.

I'm sure there is a way to assign it at the root level, i just honestly don't have time at the moment to find the command.
If you can't find the command, or don't feel comfortable with ADSIEdit and checking these perms, post back and i'll get back to this a little later today.

 

by: cuiincPosted on 2009-02-03 at 12:16:47ID: 23541661

well, i'm not too familiar with adsiedit.  i'd *rather* find a solution within Exchange somewhere, as i have a feeling i'm going to need to perform variations of this solution for quite a few upcoming issues.  i'd rather not embark into adsi if i don't have to.  so, if you have a chance, i'd much appreciate any further help you have :)

 

by: kevalaPosted on 2009-02-03 at 16:33:40ID: 23543913

Actually, by using ADSIEdit you are simply checking the permissions on the root Exchange Public Folders container. You would do this in the console, except it's not there anymore. :)

1. Launch ADSIEdit.msc from the Windows 2003 Support Tools
2. Expand CN=Configuration\Services\Microsoft Exchange\Orgname\Administrative Groups\AdminGroupName\

3. Right-click "CN=Folder Hierarchies" and choose properties
4. Click Security, then the advanced tab
5. Ensure that inheritance is enabled
If it is
6. With CN=Folder Hierarchies highlighted, in the right pane, go to the properties of CN=Public Folders
7. Ensure inheritance is enabled here as well.

If there are permissions missing here, they will trickle down to the actual folders. Let's say for example, someone removed the "everyone" group that has a default of folder visible from here, you would have this problem.

If inheritance is enabled on both of these objects, then, as a test, add a user to the security tab of CN=Public Folders with "Read" rights and see if they can see all of the folders.

These two tests will tell us where to go next.

 

by: cuiincPosted on 2009-02-03 at 17:19:06ID: 23544155

OK, I can confirm that Properties > Security > Advanced > Allow inheritable permissions... IS ticked for both CN=Folder Hierarchies and CN=Public Folders.  I noticed that the Everyone group does not have read access, and under Advanced > Permissions > Edit... the Everyone group only contains permission to "create top level folder."  

Before changing that, however, I gave a test user full access to CN=Folder Hierarchies and CN=Public Folders.  The test user can NOT view the newly created Public Folders in Outlook.  This makes me leery of changing permissions to the larger groups.  Should I be worried?  

 

by: kevalaPosted on 2009-02-03 at 20:35:53ID: 23544997

The thing to consider with changing permissions in the information store is that the store.exe process can cache permissions for up to 2 hours. The only way to force the update quicker is to restart the mailbox store the user resides in, or the information store service itself.
If you can't do this, then wait a few hours or try again in the morning to make sure is definitely isn't working.
If it still doesn't work, then i'll try to find the permission to assign to mass folders, or the top level folder in the morning...

 

by: cuiincPosted on 2009-02-04 at 10:47:22ID: 23551767

Thanks kevala,
My test user is still unable to access newly created public folders, despite full permissions in adsiedit.  I am wondering, should i give the Everyone group Read permissions on CN=Folder Hierarchies and CN=Public Folders?  my only concern is that if this wasn't set up by default, i could be screwing something up, although that doesn't seem likely.  

 

by: kevalaPosted on 2009-02-04 at 11:13:19ID: 23552105

I just built a lab today, and have not touched anything... This is the default permissions for everyone on the CN=Public Folders object.

Do you at least show this?
(ATTACHED)

  • PFPERMS.jpg
    • 55 KB

    ScreenShot of everyone permission on CN=Public Folders

    ScreenShot of everyone permission on CN=Public Folders
 

by: cuiincPosted on 2009-02-04 at 11:38:28ID: 23552428

i can confirm that I show that, yes.  and--under Folder Hierarchies--i have found that user Everyone has inherited List and Read permissions as well.

 

by: kevalaPosted on 2009-02-04 at 11:45:14ID: 23552516

This is weird, the users should be able to see the PFs by default...
I wonder if someone set a deny on the PFs for everyone, or anonymous???

Run the following in the management shell:

get-publicfolderclientpermission  (hit enter)

Next you'll get the "Identity prompt", type in the name of a ROOT public folder that people cannot see. But type it in with this format:  \PFname
(Make sure to put the "\" before the name.
It will dump out the permissions for that folder.
What does it look like?
Try this on a few folders to see if there is a trend...

 

by: cuiincPosted on 2009-02-04 at 12:08:34ID: 23552840

It doesn't look too surprising... It looks like it reflects accurately what i've seen in Outlook permissions (via folder properties) and in Adsiedit.  The deeper into the parent folders i delve, I don't see higher level permissions propagating down.  I remember in Exchange 2003 I could manually propagate permissions.  This seems like it would be the solution; why has MS taken away this feature!?

 

by: kevalaPosted on 2009-02-04 at 12:12:08ID: 23552880

So, in this case, can users see the "Andrew" and "Customers" folders? But not the folders beneath the "Customers" folders? That is what i would expect to see based on what i'm seeing there...

I'm not sure why we took the propagate away... It was a big win to get the PF management console back with SP1...

 

by: cuiincPosted on 2009-02-04 at 12:34:13ID: 23553134

yes that's correct.

i concur, when sp1 came out and i had a console finally for public folders, i was excited.

 

by: cuiincPosted on 2009-02-05 at 10:38:12ID: 23562492

any other ideas on propagating permissions through the Shell?  in the meantime, half of my users can't see newly created public folders.  

 

by: kevalaPosted on 2009-02-06 at 02:30:07ID: 23568405

Sorry, didn't bail on ya, i was off today and going non-stop... started at 6am and  i've just now gotten a chance to turn my computer on (4:23am the following day)

OK... so, since the permissions look like the defaults on the main containers, the root folder, and it's sub folders, but not at the 4rd level, it doesn't sound like there is an actual problem, other than having to set the appropriate permissions on each of these folders.
I'm also assuming that based on the information provided, a new public folder created at the top level, and any of it's subfolders are visible by everyone.

I honestly have not had a chance to look into any propagation options with the management shell.
Just a 4 in the morning thought off the top of my head, i'm wondering if we could use PFDAVADMIN to modify these permissions in bulk?
I would download it and check it out.

http://www.microsoft.com/downloads/details.aspx?familyid=635be792-d8ad-49e3-ada4-e2422c0ab424&displaylang=en

"The tool checks the permissions status of each public and mailbox folder and corrects any problems found. The ability to bulk export/import the permissions and replica lists make this tool invaluable in achieving greater productivity in managing public folders"

Another option might be some powershell scripting (if we can't find a propagation option), but this could turn into a journey...

Let me know what you think of the pfdavadmin tool for now.
I don't go back to work til Sunday, so my resources and time are limited for now, but i'll keep monitoring.

 

by: kevalaPosted on 2009-02-06 at 02:32:35ID: 23568416

This looks like the avenue for modifying PFs in bulk if PFDAVADMIN doesn't do the trick:

http://technet.microsoft.com/en-us/library/aa997966.aspx

 

by: cuiincPosted on 2009-02-06 at 14:07:59ID: 23574748

ugh.  I just tried to use pfdavadmin.exe, which--from the description--looks great.  unfortunately, i get an error when trying to run it.  not sure what this error means...

per your 2nd suggestion, the scripts, it looks like the ReplaceUserPermissionOnPFRecursive.ps1 would be the one to try, no?

 

by: kevalaPosted on 2009-02-06 at 20:16:50ID: 23576493

Yeah, ReplaceUserPermissionOnPFRecursive.ps1 looks like the one. Again, i don't have access to my resources right now, but if i did i would be playing with that particular script, and a set of "pilot" folders..

 

by: cuiincPosted on 2009-02-09 at 16:32:13ID: 23596159

I tried running ReplaceUserPermissionOnPFRecursive.ps1 script with specified -TopPublic Folder, -User, and -Permission.  After finally getting the syntax right, I got a corruption error.  I thought it looked familiar, so I went back to my Public Folder Management Console, navigated to a random public folder, and noticed a very similar error:

Microsoft Exchange Warning
-----------------------------------------------------------------------------------------
Warnings

get-publicfolder
Completed

Warning:
Object \Andrew\Customers\M - R\M\MicroNova Technology  has been corrupted and it is in an inconsistent state. The following validation errors have occurred:

Warning:
The Name property contains leading or trailing whitespace, which must be removed.

Warning:
Object \Andrew\Customers\M - R\M\Miramar Designs Ltd.  has been corrupted and it is in an inconsistent state. The following validation errors have occurred:
----------------------------------------------------------------------------------------------------

Any ideas?  I get this error on almost all my public folders.  The folders and files were created normally, and can still be accessed successfully by their creator, just not by any other user.

 

by: kevalaPosted on 2009-02-11 at 10:43:47ID: 23614536

Sorry, not sure how i missed this update.

I have a question for ya... I've seen in the past also where "linked" mailboxes had problems accessing public folders.
If you go into the EMC, and check the Recipients container, do any of the mailboxes show as Linked Mailboxes?

-------------------------------------

On another note, i was able to reproduce your problem. I resolved it by removing the spaces from "A - F", and rerunning the command.
So, can you try this?  
- Go into the public folder management console
- Highlight the "customers" folder on the left side
- On the right-side, right-click "A - F" and choose properties
- Change the name to "A-F"
- Try again...

 

by: cuiincPosted on 2009-02-11 at 14:17:01ID: 23617105

i don't see any linked mailboxes in my Recipients containter in EMC; i see only Legacy and User mailboxes.

concerning the "trailing whitespace" issue, i think you correctly diagnosed the error.  if i delete spaces from public folder names, the error goes away.  this, however, would be a laborious solution, as we have thousands of public folders with names like "CUI Inc." (see attached pic of Outlook)

i deleted the space in \Andrew\Customers\A-F and re-ran ReplaceUserPermissionOnPFRecursive.ps1.  i received more trailing whitespace warnings for folders futher down the hierarchy (See attached pic). despite this, it looks like the permissions did NOT propagate down to folders that did NOT contain spaces in their title.  

i am able to successfully change permissions of these folders through Outlook so other users can successfully view them.  the problem seems purely a propagation issue.  i'm about ready to bite the bullet and spend $200 to call microsoft! :)

 

by: kevalaPosted on 2009-02-11 at 16:21:04ID: 23618108

I've also found that putting the path in quotes (as opposed to removing the spaces) works too. I'm just not sure that this would help the lower level folders...

Let me see what else i can find... If the quotes don't work then you'd almost have to write a script to remove the spaces!  There's got to be something better for this...

Researching...

(If you call MS let me know, i'll talk with the tech you get to try to help)

 

by: kevalaPosted on 2009-02-11 at 16:21:53ID: 23618115

Can you post the exact command you are running?? I haven't been able to see that in the screenshots...

 

by: kevalaPosted on 2009-02-11 at 16:26:00ID: 23618135

I think i found a way to remove all of the spaces:

get-publicfolder -identity "\" -Recurse -ResultSize Unlimited | Foreach { Set-publicfolder -Identity $_.Identity -Name $_.Name.Trim() }

Let me test this in my lab to see the affects...

 

by: kevalaPosted on 2009-02-11 at 16:27:00ID: 23618140

This is the command for a single folder (to remove the white spaces)

get-publicfolder -identity "\foldername" | Set-publicfolder -Identity $_.Identity -Name $_.Name.Trim()

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...