Public Folder Permissions, Create Top-Level

Exchange 2000 SP3
Windows 2000 SP3
Migrated from Exchange 5.5 via ADC and Move Mailbox.  Last Exchange 5.5 server was removed from the org 1 month ago.
Still running mixed mode.  the NT 4 domain where Exchange 5.5 service account is defined is still online.
Clients: Outlook 2000 primarily, and some 2002 and 2003.

I have found various articles describing how to prevent the creation of top-level folders.  They seem to cover two methods of setting this permission, 1) Using ADSI Edit, 2) a reg hack on the workstation that allows you to see Security tab at the organizational level in System Manager.  Last year I set permissions using ADSI Edit and it worked fine.  All other permissions have been managed using the Delegate Permissions wizard.  Recently, before I decommissioned the last Exchange 5.5 server, and continuing now, general users are able to create top-level public folders.

The current permissions as pertains to public folders are as follows.
  Authenticated Users: None
  Everyone: Create public folder; Create named properties in the information store
  There are administrative groups in the ACLs that have rights to create top-level public folders.  I have verified membership in these groups and have not found anything that includes non-admin users.

Does anybody have any ideas on how users are able to continue adding folders when it appears that the permissions would prohibit this?
nromeroAsked:
Who is Participating?
 
timianoCommented:
Hmmm,

If you are sure that at the public folder security level in ESM that everyone does not have the Create top-level public folders enabled, then it is strange.  The only advice I can offer you, is that you check again, as I used to have an issue, that when you add a new Exchange server to the organisation, that little sucker of a tick box kept on creeping back in, and we had to take it out everytime we added a new server.  Check again, and make sure it isn't there, cos it'll keep coming back as you add servers.

Timiano
0
 
nromeroAuthor Commented:
OK.  I checked perms and you're right.  The perm "deny" was not active.  I also found several MS KB articles saying that this gets reset anytime you add a new server.  (Gees)

I enabled the "deny" perm using System Manager, but it didn't make a difference.   General users are still able to create top-level folders.

I dug a little deeper using ADSIEDIT.  Looking at  "Configuration \ Services \ Microsoft Exchange \ ETRADEGroupInc \ Administrative Groups \ UnitedStates \ Folder Hierarchies \ Public Folders" I see these perms:

Inherit permissions: enabled
Everyone:
  Create Public Folder: Allow (explicit)
  Create top level public folder: Allow (explicit), Deny (inherited)

Am I looking at the right object?  Is this worth looking into?  Shouldn't the inherited "deny" permission override the "allow" permission?
0
 
nromeroAuthor Commented:
Using ADSIEDIT, looking at  "Configuration \ Services \ Microsoft Exchange \ ETRADEGroupInc \ Administrative Groups \ UnitedStates \ Folder Hierarchies \ Public Folders" I see these perms:

Inherit permissions: enabled
Everyone:
  Create Public Folder: Allow (explicit)

Removed the explicit allow permissions and this fixed the problem.  Not sure how that was ever set.

So I understand that anytime a server is added to the org I need to reset these permissions.

Timiano, thanks for the input.

Nic
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.