Solved

Public Folder Permissions not propogating to items

Posted on 2003-11-06
24
4,261 Views
Last Modified: 2007-12-19
Public Folder permissions you set in Outlook/Exchange are not propagating to the items within the folder.
Microsoft strongly recommend that you do NOT alter permissions via the M drive. However I cannot see any way around this issue.
I have tried the following article to default the permissions:

http://support.microsoft.com/default.aspx?scid=kb;en-us;270905

Although this works quite happily at folder level it does not seem to propogate to the items

Is there a way to reset the permissions on the public folder items to inherit their permissions from the public folder?
0
Comment
Question by:Makr_Watson27
  • 13
  • 8
  • 2
  • +1
24 Comments
 

Expert Comment

by:foxp44
ID: 9693504
Exhcange System Manager

Goto the public folder you want to adjust permissions on

Properties

Permissions

Hold Ctrl while clicking Client Permissions

you should now be able to set permissions to public folders and propagate to child objects

Good luck
0
 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9693573
Thanks for the reply, however I have been there already.

The Folder Rights have Names in but the permissions are blank as there are Additional Permissions present but not viewable.  Clicking Advanced takes me to the Access Control Settings for the folder which are correct.

In this case Everyone and myself have all rights except
 - Delete Child
 - Owner
 - Contact

When I open an existing item it is okay, however when a user opens an existing item it is marked as Read-Only

For informational purposes, we are running Exchange 2000 SP3, with Post SP3 Rollup Patch.
0
 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9693729
Just to help out, I have been everywhere I can think of on the net.
The only directly relevant article on MS is an excerpt from

http://www.microsoft.com/technet/itcommunity/chats/trans/Exchange/exch0618.asp?frame=true

Where I quote:
----------------------------------------
Host: Jud (Microsoft)
Q: I have users who have edit permissions on a public contact folder, but there are some records they cannot edit. It says they don't have permission. How can I fix permissions at the record contact level?

A: Sounds like there are item level permissions on the contacts. You could try to move the contacts into a different folder and back, if that doesn't help I would recommend that you contact Microsoft PSS.
----------------------------------------

However I would rather not have to pay Microsoft £185 to get this solved when I am sure there is someone out there that has had this problem and resolved it themselves.

Thank-you in advance
0
 

Expert Comment

by:foxp44
ID: 9693791
are you running in mixed mode?
0
 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9693883
I am currently running in mixed mode.  However I could reconfigure to Native mode, if needed.  Would this help?
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 9695335
Go to the "Public Folders", right click, properties. Click the advanced button. there should be a checkbox on that page to allow propagation. Is it checked? If so, try going to a specific folder in question, one that has subfolders, then right click, go to All tasks, Propogate settings. If this isn't working, turn up diagnostics logging on the public folders to see where the problem lies.

d
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 9695341
and again, DO NOT use the M: drive for this, you'll be sorry.....

D
0
 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9695839
Thanks for the pointers

I have checked the properties of the Public Folders - Security - Advanced and the checkbox for 'Allow inheritable permissions from parent to propagate to this object' is checked.

I have turned the diagnostics up to maximum (Server - Properties - Diagnostics Logging - MSExchangeIS - Public Folder)

I moved my top level folders to a sub folder and ran the propagate settings for Administrative Rights and Folder Rights.
Checking the Event Logs I initally got a lot of 3093 Replication Errors, but Microsoft says these are normal (KB 225090), but no other errors.

Just to clarify, the permissions seem to be okay for any new items, but not existing items.  I have tried exporting and importing to/from PST, no joy.  Any other ideas?
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 9695856
Is your AV scanning the M: drive? It really sounds like something is hosed, because this is basic stuff. When you look at the permissions, are there any unresolved sIDs in the ACL?

D
0
 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9696700
Again thanks for the prompt reply.
We have Sophos installed on the server in Server mode, it is not scanning the M drive.
The ACLs on the items are wrong, i.e. they are not inheriting from the parent.  But this is the point at which I have the problem.

As a different approach would creating a new public folder store and moving the data into it be a good test?

0
 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9704202
Just a follow up.
I have re-created the Public Folder Store as per article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;313184&Product=exch2k

I recreated the Public Folders and set the permissions prior to copying in the items.  This had the effect of giving the itemst he crorrect permissions, however if I then change the permissions on the folder the items do not get the permissions.

I feel like I have hit a big brick wall.  Having had the likes of Kidego not coming up with any answers I have no idea where to go next.

Is this really unsolveable???
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 9704388
After trying this on the public folder object, I couldn't make it happen at that level. Are the perms on the public folder store object set to propogate to child ojects as well? Mine is set that way by default.

D
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9706231
Sorry for the delay, different timezone.
Yes this is prooved by the fact that if I create a new item then it inherits the folders permissions.  

After recreating the Public Folder Store the permissions on all the items are what they should be, however if I change the permissions within System Manager or Outlook then the changes are applied to any new items but not to any existing items.

When looking at the items in M drive the permissions are set to inherit from the Parent, I only wished they did.

0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 9708306
hmmmm.. what are the NTFS perms on that partition? I don't understand what's happening with existing items not getting the changes...I'll keep checking though....

D
0
 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9709495
Can't check the permissions on the M drive, or the domain in question as it says'
'Unable to display security information', but I belive this is normal.

When I change the permissions on the folder through System Manager or Outlook, they are not immediately visible in the ACLs on the folder, but I can speed the process up by dismounting and re-mounting the store.  However they must be there somewhere as when a new item is created it gets the correct permissions.

The ACLs do not agree between existing items and their parent, even though there are no explicitly defined permissions on the object and it is set to inherit.
There are no event log errors
0
 
LVL 24

Accepted Solution

by:
David Wilhoit earned 500 total points
ID: 9709909
the M: drive is virtual, wherever you installed the exchange databases is where the M: drive is located. Check it there. Has this database ever been restored before? Is this a different public folder tree? I found an article that describes exactly what's happening with your server:

http://support.microsoft.com/default.aspx?scid=kb;en-us;813109

D
0
 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9710612
Permissions as follows:
Administrators, Full Control, This folder, subfolder and files
Authenticated Users, Read & Execute, This folder, subfolder and files
Creator Owner, Full Control, Subfolders and files only
Domain Admins, Full Control, This folder, subfolder and files
Server Operatores, Modify, This folder, subfolder and files
System, Full Control, This folder, subfolder and files

Database has not been restored to my knowledge.
This is the standard public folder tree

Its an interesting article, basically exactly my problem but they state only non-mapi trees affected, I wonder if this is strictly true?

Thanks for all your help so far D.
0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 9711297
that's why I'm wondering if something else has happened on this server. It is exactly your problem, and this is the only thing I've seen that refers to it. I wish I had something else to offer, but I'm out of ideas....with the exception of adding the everyone group to your NTFS perms, and granting full control. Everyone group really should have full control on NTFS anyway. Other than that, i'm out of ideas. If I see something else, I'll post back.

D
0
 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9711380
D,

Thanks for all your help during this problem.  I will try the permission for Everyone although the permissions I have set are roughly as per MS Security Bulletin MS02-064
I may also bite the bullet and ring MS about it as it would be nice to know, although I dont think they will be of any more use than you have provided.
If no-one solves this within a week then the points are all yours.

Its been nice to converse with someone who knows.

Regards

Mark
0
 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9720767
Just to let you know, we have defaulted the permissions, this does not solve the problem but was thought to be the only way forward at this point.  Easiest way to achieve is as follows:
Using Outlook
Copy the Public Folders/Items to a subfolder of your local mailbox
Delete the Public Folders, this step may not be needed
Re-create the Public Folders
Assign the permissions to the Public Folders, ideally using groups not individuals
Copy the Items from your local mailbox back to the relevant Public Folder

You can check the Folder Permissions by using System Manager, navigating to the Public Folder and holding CTRL down whilst ou click Client Permissions.
You can check the Item Permissions by using the M drive, they should be the same at this point.

0
 
LVL 24

Expert Comment

by:David Wilhoit
ID: 9722123
thanks for sticking with it, and just an FYI it's only about$245 an incident to call PSS. If they don't track down the problem and resolve, you get a refund, so don't sweat it. If they give you a viable solution, it's worth it.

D
0
 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9726627
D,

I fairly certain know what has caused this...IIS Lockdown had been run on this server.  The only reason I mention this is that I came across another server with exactly the same issue today, I know that this server had had IIS Lockdown run on it recently.
Are you aware of any recommendations (Other than not running it) for IIS Lockdown on an E2k server?

Mark
0
 
LVL 7

Author Comment

by:Makr_Watson27
ID: 9726885
D,

As you have noticed I have posted this as a seperate issue, I would love to get the IIS Lockdown issue sorted.

Mark
0
 
LVL 10

Expert Comment

by:dstoker509
ID: 12546178
Came across this posting while looking into another problem, and I thought that I may be able to shed some light on your problem.  My experience is only with Exchange 5.5 and 2003, so this may not be exact for you, but it is worth a shot.

With Exchange 2003, when viewing the Public Folder permissions, if you hold Ctrl while clicking Client Permissions AND make a change the following applies (from MS' Exchange 2003 Admin Guide):

Caution: Although you can view the Windows 2000 version of the Public Folders tree permissions, do not try to edit the permissions in this view. The Windows user interface that displays the permissions formats the ACL in such a way that Exchange will no longer be able to convert the permissions to their MAPI form. If this problem occurs, you will no longer be able to use Outlook or the regular Exchange System Manager dialog boxes to edit the permissions.

In essance, this changes the public folder tree (at least in some way) to a non-MAPI tree which points back to Kidego's link (http://support.microsoft.com/default.aspx?scid=kb;en-us;813109)

Just my two cents...good luck with your problem.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now