We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Public Folder Permissions, Create Top-Level

nromero
nromero asked
on
Medium Priority
1,225 Views
Last Modified: 2010-03-05
Exchange 2000 SP3
Windows 2000 SP3
Migrated from Exchange 5.5 via ADC and Move Mailbox.  Last Exchange 5.5 server was removed from the org 1 month ago.
Still running mixed mode.  the NT 4 domain where Exchange 5.5 service account is defined is still online.
Clients: Outlook 2000 primarily, and some 2002 and 2003.

I have found various articles describing how to prevent the creation of top-level folders.  They seem to cover two methods of setting this permission, 1) Using ADSI Edit, 2) a reg hack on the workstation that allows you to see Security tab at the organizational level in System Manager.  Last year I set permissions using ADSI Edit and it worked fine.  All other permissions have been managed using the Delegate Permissions wizard.  Recently, before I decommissioned the last Exchange 5.5 server, and continuing now, general users are able to create top-level public folders.

The current permissions as pertains to public folders are as follows.
  Authenticated Users: None
  Everyone: Create public folder; Create named properties in the information store
  There are administrative groups in the ACLs that have rights to create top-level public folders.  I have verified membership in these groups and have not found anything that includes non-admin users.

Does anybody have any ideas on how users are able to continue adding folders when it appears that the permissions would prohibit this?
Comment
Watch Question

Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
OK.  I checked perms and you're right.  The perm "deny" was not active.  I also found several MS KB articles saying that this gets reset anytime you add a new server.  (Gees)

I enabled the "deny" perm using System Manager, but it didn't make a difference.   General users are still able to create top-level folders.

I dug a little deeper using ADSIEDIT.  Looking at  "Configuration \ Services \ Microsoft Exchange \ ETRADEGroupInc \ Administrative Groups \ UnitedStates \ Folder Hierarchies \ Public Folders" I see these perms:

Inherit permissions: enabled
Everyone:
  Create Public Folder: Allow (explicit)
  Create top level public folder: Allow (explicit), Deny (inherited)

Am I looking at the right object?  Is this worth looking into?  Shouldn't the inherited "deny" permission override the "allow" permission?

Author

Commented:
Using ADSIEDIT, looking at  "Configuration \ Services \ Microsoft Exchange \ ETRADEGroupInc \ Administrative Groups \ UnitedStates \ Folder Hierarchies \ Public Folders" I see these perms:

Inherit permissions: enabled
Everyone:
  Create Public Folder: Allow (explicit)

Removed the explicit allow permissions and this fixed the problem.  Not sure how that was ever set.

So I understand that anytime a server is added to the org I need to reset these permissions.

Timiano, thanks for the input.

Nic
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.