Public Folder Permissions not propogating to items

Public Folder permissions you set in Outlook/Exchange are not propagating to the items within the folder.
Microsoft strongly recommend that you do NOT alter permissions via the M drive. However I cannot see any way around this issue.
I have tried the following article to default the permissions:

http://support.microsoft.com/default.aspx?scid=kb;en-us;270905

Although this works quite happily at folder level it does not seem to propogate to the items

Is there a way to reset the permissions on the public folder items to inherit their permissions from the public folder?
LVL 7
Makr_Watson27Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

foxp44Commented:
Exhcange System Manager

Goto the public folder you want to adjust permissions on

Properties

Permissions

Hold Ctrl while clicking Client Permissions

you should now be able to set permissions to public folders and propagate to child objects

Good luck
Makr_Watson27Author Commented:
Thanks for the reply, however I have been there already.

The Folder Rights have Names in but the permissions are blank as there are Additional Permissions present but not viewable.  Clicking Advanced takes me to the Access Control Settings for the folder which are correct.

In this case Everyone and myself have all rights except
 - Delete Child
 - Owner
 - Contact

When I open an existing item it is okay, however when a user opens an existing item it is marked as Read-Only

For informational purposes, we are running Exchange 2000 SP3, with Post SP3 Rollup Patch.
Makr_Watson27Author Commented:
Just to help out, I have been everywhere I can think of on the net.
The only directly relevant article on MS is an excerpt from

http://www.microsoft.com/technet/itcommunity/chats/trans/Exchange/exch0618.asp?frame=true

Where I quote:
----------------------------------------
Host: Jud (Microsoft)
Q: I have users who have edit permissions on a public contact folder, but there are some records they cannot edit. It says they don't have permission. How can I fix permissions at the record contact level?

A: Sounds like there are item level permissions on the contacts. You could try to move the contacts into a different folder and back, if that doesn't help I would recommend that you contact Microsoft PSS.
----------------------------------------

However I would rather not have to pay Microsoft £185 to get this solved when I am sure there is someone out there that has had this problem and resolved it themselves.

Thank-you in advance
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

foxp44Commented:
are you running in mixed mode?
Makr_Watson27Author Commented:
I am currently running in mixed mode.  However I could reconfigure to Native mode, if needed.  Would this help?
David WilhoitSenior Consultant, ExchangeCommented:
Go to the "Public Folders", right click, properties. Click the advanced button. there should be a checkbox on that page to allow propagation. Is it checked? If so, try going to a specific folder in question, one that has subfolders, then right click, go to All tasks, Propogate settings. If this isn't working, turn up diagnostics logging on the public folders to see where the problem lies.

d
David WilhoitSenior Consultant, ExchangeCommented:
and again, DO NOT use the M: drive for this, you'll be sorry.....

D
Makr_Watson27Author Commented:
Thanks for the pointers

I have checked the properties of the Public Folders - Security - Advanced and the checkbox for 'Allow inheritable permissions from parent to propagate to this object' is checked.

I have turned the diagnostics up to maximum (Server - Properties - Diagnostics Logging - MSExchangeIS - Public Folder)

I moved my top level folders to a sub folder and ran the propagate settings for Administrative Rights and Folder Rights.
Checking the Event Logs I initally got a lot of 3093 Replication Errors, but Microsoft says these are normal (KB 225090), but no other errors.

Just to clarify, the permissions seem to be okay for any new items, but not existing items.  I have tried exporting and importing to/from PST, no joy.  Any other ideas?
David WilhoitSenior Consultant, ExchangeCommented:
Is your AV scanning the M: drive? It really sounds like something is hosed, because this is basic stuff. When you look at the permissions, are there any unresolved sIDs in the ACL?

D
Makr_Watson27Author Commented:
Again thanks for the prompt reply.
We have Sophos installed on the server in Server mode, it is not scanning the M drive.
The ACLs on the items are wrong, i.e. they are not inheriting from the parent.  But this is the point at which I have the problem.

As a different approach would creating a new public folder store and moving the data into it be a good test?

Makr_Watson27Author Commented:
Just a follow up.
I have re-created the Public Folder Store as per article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;313184&Product=exch2k

I recreated the Public Folders and set the permissions prior to copying in the items.  This had the effect of giving the itemst he crorrect permissions, however if I then change the permissions on the folder the items do not get the permissions.

I feel like I have hit a big brick wall.  Having had the likes of Kidego not coming up with any answers I have no idea where to go next.

Is this really unsolveable???
David WilhoitSenior Consultant, ExchangeCommented:
After trying this on the public folder object, I couldn't make it happen at that level. Are the perms on the public folder store object set to propogate to child ojects as well? Mine is set that way by default.

D
Makr_Watson27Author Commented:
Sorry for the delay, different timezone.
Yes this is prooved by the fact that if I create a new item then it inherits the folders permissions.  

After recreating the Public Folder Store the permissions on all the items are what they should be, however if I change the permissions within System Manager or Outlook then the changes are applied to any new items but not to any existing items.

When looking at the items in M drive the permissions are set to inherit from the Parent, I only wished they did.

David WilhoitSenior Consultant, ExchangeCommented:
hmmmm.. what are the NTFS perms on that partition? I don't understand what's happening with existing items not getting the changes...I'll keep checking though....

D
Makr_Watson27Author Commented:
Can't check the permissions on the M drive, or the domain in question as it says'
'Unable to display security information', but I belive this is normal.

When I change the permissions on the folder through System Manager or Outlook, they are not immediately visible in the ACLs on the folder, but I can speed the process up by dismounting and re-mounting the store.  However they must be there somewhere as when a new item is created it gets the correct permissions.

The ACLs do not agree between existing items and their parent, even though there are no explicitly defined permissions on the object and it is set to inherit.
There are no event log errors
David WilhoitSenior Consultant, ExchangeCommented:
the M: drive is virtual, wherever you installed the exchange databases is where the M: drive is located. Check it there. Has this database ever been restored before? Is this a different public folder tree? I found an article that describes exactly what's happening with your server:

http://support.microsoft.com/default.aspx?scid=kb;en-us;813109

D

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Makr_Watson27Author Commented:
Permissions as follows:
Administrators, Full Control, This folder, subfolder and files
Authenticated Users, Read & Execute, This folder, subfolder and files
Creator Owner, Full Control, Subfolders and files only
Domain Admins, Full Control, This folder, subfolder and files
Server Operatores, Modify, This folder, subfolder and files
System, Full Control, This folder, subfolder and files

Database has not been restored to my knowledge.
This is the standard public folder tree

Its an interesting article, basically exactly my problem but they state only non-mapi trees affected, I wonder if this is strictly true?

Thanks for all your help so far D.
David WilhoitSenior Consultant, ExchangeCommented:
that's why I'm wondering if something else has happened on this server. It is exactly your problem, and this is the only thing I've seen that refers to it. I wish I had something else to offer, but I'm out of ideas....with the exception of adding the everyone group to your NTFS perms, and granting full control. Everyone group really should have full control on NTFS anyway. Other than that, i'm out of ideas. If I see something else, I'll post back.

D
Makr_Watson27Author Commented:
D,

Thanks for all your help during this problem.  I will try the permission for Everyone although the permissions I have set are roughly as per MS Security Bulletin MS02-064
I may also bite the bullet and ring MS about it as it would be nice to know, although I dont think they will be of any more use than you have provided.
If no-one solves this within a week then the points are all yours.

Its been nice to converse with someone who knows.

Regards

Mark
Makr_Watson27Author Commented:
Just to let you know, we have defaulted the permissions, this does not solve the problem but was thought to be the only way forward at this point.  Easiest way to achieve is as follows:
Using Outlook
Copy the Public Folders/Items to a subfolder of your local mailbox
Delete the Public Folders, this step may not be needed
Re-create the Public Folders
Assign the permissions to the Public Folders, ideally using groups not individuals
Copy the Items from your local mailbox back to the relevant Public Folder

You can check the Folder Permissions by using System Manager, navigating to the Public Folder and holding CTRL down whilst ou click Client Permissions.
You can check the Item Permissions by using the M drive, they should be the same at this point.

David WilhoitSenior Consultant, ExchangeCommented:
thanks for sticking with it, and just an FYI it's only about$245 an incident to call PSS. If they don't track down the problem and resolve, you get a refund, so don't sweat it. If they give you a viable solution, it's worth it.

D
Makr_Watson27Author Commented:
D,

I fairly certain know what has caused this...IIS Lockdown had been run on this server.  The only reason I mention this is that I came across another server with exactly the same issue today, I know that this server had had IIS Lockdown run on it recently.
Are you aware of any recommendations (Other than not running it) for IIS Lockdown on an E2k server?

Mark
Makr_Watson27Author Commented:
D,

As you have noticed I have posted this as a seperate issue, I would love to get the IIS Lockdown issue sorted.

Mark
dstoker509Commented:
Came across this posting while looking into another problem, and I thought that I may be able to shed some light on your problem.  My experience is only with Exchange 5.5 and 2003, so this may not be exact for you, but it is worth a shot.

With Exchange 2003, when viewing the Public Folder permissions, if you hold Ctrl while clicking Client Permissions AND make a change the following applies (from MS' Exchange 2003 Admin Guide):

Caution: Although you can view the Windows 2000 version of the Public Folders tree permissions, do not try to edit the permissions in this view. The Windows user interface that displays the permissions formats the ACL in such a way that Exchange will no longer be able to convert the permissions to their MAPI form. If this problem occurs, you will no longer be able to use Outlook or the regular Exchange System Manager dialog boxes to edit the permissions.

In essance, this changes the public folder tree (at least in some way) to a non-MAPI tree which points back to Kidego's link (http://support.microsoft.com/default.aspx?scid=kb;en-us;813109)

Just my two cents...good luck with your problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.