Solved

Public Folder Permissions, Create Top-Level

Posted on 2004-03-30
3
1,161 Views
Last Modified: 2010-03-05
Exchange 2000 SP3
Windows 2000 SP3
Migrated from Exchange 5.5 via ADC and Move Mailbox.  Last Exchange 5.5 server was removed from the org 1 month ago.
Still running mixed mode.  the NT 4 domain where Exchange 5.5 service account is defined is still online.
Clients: Outlook 2000 primarily, and some 2002 and 2003.

I have found various articles describing how to prevent the creation of top-level folders.  They seem to cover two methods of setting this permission, 1) Using ADSI Edit, 2) a reg hack on the workstation that allows you to see Security tab at the organizational level in System Manager.  Last year I set permissions using ADSI Edit and it worked fine.  All other permissions have been managed using the Delegate Permissions wizard.  Recently, before I decommissioned the last Exchange 5.5 server, and continuing now, general users are able to create top-level public folders.

The current permissions as pertains to public folders are as follows.
  Authenticated Users: None
  Everyone: Create public folder; Create named properties in the information store
  There are administrative groups in the ACLs that have rights to create top-level public folders.  I have verified membership in these groups and have not found anything that includes non-admin users.

Does anybody have any ideas on how users are able to continue adding folders when it appears that the permissions would prohibit this?
0
Comment
Question by:nromero
  • 2
3 Comments
 
LVL 2

Accepted Solution

by:
timiano earned 125 total points
ID: 10727547
Hmmm,

If you are sure that at the public folder security level in ESM that everyone does not have the Create top-level public folders enabled, then it is strange.  The only advice I can offer you, is that you check again, as I used to have an issue, that when you add a new Exchange server to the organisation, that little sucker of a tick box kept on creeping back in, and we had to take it out everytime we added a new server.  Check again, and make sure it isn't there, cos it'll keep coming back as you add servers.

Timiano
0
 

Author Comment

by:nromero
ID: 10785502
OK.  I checked perms and you're right.  The perm "deny" was not active.  I also found several MS KB articles saying that this gets reset anytime you add a new server.  (Gees)

I enabled the "deny" perm using System Manager, but it didn't make a difference.   General users are still able to create top-level folders.

I dug a little deeper using ADSIEDIT.  Looking at  "Configuration \ Services \ Microsoft Exchange \ ETRADEGroupInc \ Administrative Groups \ UnitedStates \ Folder Hierarchies \ Public Folders" I see these perms:

Inherit permissions: enabled
Everyone:
  Create Public Folder: Allow (explicit)
  Create top level public folder: Allow (explicit), Deny (inherited)

Am I looking at the right object?  Is this worth looking into?  Shouldn't the inherited "deny" permission override the "allow" permission?
0
 

Author Comment

by:nromero
ID: 10815835
Using ADSIEDIT, looking at  "Configuration \ Services \ Microsoft Exchange \ ETRADEGroupInc \ Administrative Groups \ UnitedStates \ Folder Hierarchies \ Public Folders" I see these perms:

Inherit permissions: enabled
Everyone:
  Create Public Folder: Allow (explicit)

Removed the explicit allow permissions and this fixed the problem.  Not sure how that was ever set.

So I understand that anytime a server is added to the org I need to reset these permissions.

Timiano, thanks for the input.

Nic
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Find out what you should include to make the best professional email signature for your organization.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now