Public Folder Permissions not propogating to items

Exhcange System Manager

Goto the public folder you want to adjust permissions on

Properties

Permissions

Hold Ctrl while clicking Client Permissions

you should now be able to set permissions to public folders and propagate to child objects

Good luck

Thanks for the reply, however I have been there already.

The Folder Rights have Names in but the permissions are blank as there are Additional Permissions present but not viewable.  Clicking Advanced takes me to the Access Control Settings for the folder which are correct.

In this case Everyone and myself have all rights except
 - Delete Child
 - Owner
 - Contact

When I open an existing item it is okay, however when a user opens an existing item it is marked as Read-Only

For informational purposes, we are running Exchange 2000 SP3, with Post SP3 Rollup Patch.

Just to help out, I have been everywhere I can think of on the net.
The only directly relevant article on MS is an excerpt from

http://www.microsoft.com/technet/itcommunity/chats/trans/Exchange/exch0618.asp?frame=true

Where I quote:
----------------------------------------
Host: Jud (Microsoft)
Q: I have users who have edit permissions on a public contact folder, but there are some records they cannot edit. It says they don't have permission. How can I fix permissions at the record contact level?

A: Sounds like there are item level permissions on the contacts. You could try to move the contacts into a different folder and back, if that doesn't help I would recommend that you contact Microsoft PSS.
----------------------------------------

However I would rather not have to pay Microsoft £185 to get this solved when I am sure there is someone out there that has had this problem and resolved it themselves.

Thank-you in advance

are you running in mixed mode?

I am currently running in mixed mode.  However I could reconfigure to Native mode, if needed.  Would this help?

Go to the "Public Folders", right click, properties. Click the advanced button. there should be a checkbox on that page to allow propagation. Is it checked? If so, try going to a specific folder in question, one that has subfolders, then right click, go to All tasks, Propogate settings. If this isn't working, turn up diagnostics logging on the public folders to see where the problem lies.

d

and again, DO NOT use the M: drive for this, you'll be sorry.....

D

Thanks for the pointers

I have checked the properties of the Public Folders - Security - Advanced and the checkbox for 'Allow inheritable permissions from parent to propagate to this object' is checked.

I have turned the diagnostics up to maximum (Server - Properties - Diagnostics Logging - MSExchangeIS - Public Folder)

I moved my top level folders to a sub folder and ran the propagate settings for Administrative Rights and Folder Rights.
Checking the Event Logs I initally got a lot of 3093 Replication Errors, but Microsoft says these are normal (KB 225090), but no other errors.

Just to clarify, the permissions seem to be okay for any new items, but not existing items.  I have tried exporting and importing to/from PST, no joy.  Any other ideas?

Is your AV scanning the M: drive? It really sounds like something is hosed, because this is basic stuff. When you look at the permissions, are there any unresolved sIDs in the ACL?

D

Again thanks for the prompt reply.
We have Sophos installed on the server in Server mode, it is not scanning the M drive.
The ACLs on the items are wrong, i.e. they are not inheriting from the parent.  But this is the point at which I have the problem.

As a different approach would creating a new public folder store and moving the data into it be a good test?

Just a follow up.
I have re-created the Public Folder Store as per article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;313184&Product=exch2k

I recreated the Public Folders and set the permissions prior to copying in the items.  This had the effect of giving the itemst he crorrect permissions, however if I then change the permissions on the folder the items do not get the permissions.

I feel like I have hit a big brick wall.  Having had the likes of Kidego not coming up with any answers I have no idea where to go next.

Is this really unsolveable???

After trying this on the public folder object, I couldn't make it happen at that level. Are the perms on the public folder store object set to propogate to child ojects as well? Mine is set that way by default.

D

Sorry for the delay, different timezone.
Yes this is prooved by the fact that if I create a new item then it inherits the folders permissions.  

After recreating the Public Folder Store the permissions on all the items are what they should be, however if I change the permissions within System Manager or Outlook then the changes are applied to any new items but not to any existing items.

When looking at the items in M drive the permissions are set to inherit from the Parent, I only wished they did.

hmmmm.. what are the NTFS perms on that partition? I don't understand what's happening with existing items not getting the changes...I'll keep checking though....

D

Can't check the permissions on the M drive, or the domain in question as it says'
'Unable to display security information', but I belive this is normal.

When I change the permissions on the folder through System Manager or Outlook, they are not immediately visible in the ACLs on the folder, but I can speed the process up by dismounting and re-mounting the store.  However they must be there somewhere as when a new item is created it gets the correct permissions.

The ACLs do not agree between existing items and their parent, even though there are no explicitly defined permissions on the object and it is set to inherit.
There are no event log errors

Permissions as follows:
Administrators, Full Control, This folder, subfolder and files
Authenticated Users, Read & Execute, This folder, subfolder and files
Creator Owner, Full Control, Subfolders and files only
Domain Admins, Full Control, This folder, subfolder and files
Server Operatores, Modify, This folder, subfolder and files
System, Full Control, This folder, subfolder and files

Database has not been restored to my knowledge.
This is the standard public folder tree

Its an interesting article, basically exactly my problem but they state only non-mapi trees affected, I wonder if this is strictly true?

Thanks for all your help so far D.

that's why I'm wondering if something else has happened on this server. It is exactly your problem, and this is the only thing I've seen that refers to it. I wish I had something else to offer, but I'm out of ideas....with the exception of adding the everyone group to your NTFS perms, and granting full control. Everyone group really should have full control on NTFS anyway. Other than that, i'm out of ideas. If I see something else, I'll post back.

D

D,

Thanks for all your help during this problem.  I will try the permission for Everyone although the permissions I have set are roughly as per MS Security Bulletin MS02-064
I may also bite the bullet and ring MS about it as it would be nice to know, although I dont think they will be of any more use than you have provided.
If no-one solves this within a week then the points are all yours.

Its been nice to converse with someone who knows.

Regards

Mark

Just to let you know, we have defaulted the permissions, this does not solve the problem but was thought to be the only way forward at this point.  Easiest way to achieve is as follows:
Using Outlook
Copy the Public Folders/Items to a subfolder of your local mailbox
Delete the Public Folders, this step may not be needed
Re-create the Public Folders
Assign the permissions to the Public Folders, ideally using groups not individuals
Copy the Items from your local mailbox back to the relevant Public Folder

You can check the Folder Permissions by using System Manager, navigating to the Public Folder and holding CTRL down whilst ou click Client Permissions.
You can check the Item Permissions by using the M drive, they should be the same at this point.

thanks for sticking with it, and just an FYI it's only about$245 an incident to call PSS. If they don't track down the problem and resolve, you get a refund, so don't sweat it. If they give you a viable solution, it's worth it.

D

D,

I fairly certain know what has caused this...IIS Lockdown had been run on this server.  The only reason I mention this is that I came across another server with exactly the same issue today, I know that this server had had IIS Lockdown run on it recently.
Are you aware of any recommendations (Other than not running it) for IIS Lockdown on an E2k server?

Mark

D,

As you have noticed I have posted this as a seperate issue, I would love to get the IIS Lockdown issue sorted.

Mark

Came across this posting while looking into another problem, and I thought that I may be able to shed some light on your problem.  My experience is only with Exchange 5.5 and 2003, so this may not be exact for you, but it is worth a shot.

With Exchange 2003, when viewing the Public Folder permissions, if you hold Ctrl while clicking Client Permissions AND make a change the following applies (from MS' Exchange 2003 Admin Guide):

Caution: Although you can view the Windows 2000 version of the Public Folders tree permissions, do not try to edit the permissions in this view. The Windows user interface that displays the permissions formats the ACL in such a way that Exchange will no longer be able to convert the permissions to their MAPI form. If this problem occurs, you will no longer be able to use Outlook or the regular Exchange System Manager dialog boxes to edit the permissions.

In essance, this changes the public folder tree (at least in some way) to a non-MAPI tree which points back to Kidego's link (http://support.microsoft.com/default.aspx?scid=kb;en-us;813109)

Just my two cents...good luck with your problem.