Solved

Public Folder Permissions, Create Top-Level

Posted on 2004-03-30
3
1,159 Views
Last Modified: 2010-03-05
Exchange 2000 SP3
Windows 2000 SP3
Migrated from Exchange 5.5 via ADC and Move Mailbox.  Last Exchange 5.5 server was removed from the org 1 month ago.
Still running mixed mode.  the NT 4 domain where Exchange 5.5 service account is defined is still online.
Clients: Outlook 2000 primarily, and some 2002 and 2003.

I have found various articles describing how to prevent the creation of top-level folders.  They seem to cover two methods of setting this permission, 1) Using ADSI Edit, 2) a reg hack on the workstation that allows you to see Security tab at the organizational level in System Manager.  Last year I set permissions using ADSI Edit and it worked fine.  All other permissions have been managed using the Delegate Permissions wizard.  Recently, before I decommissioned the last Exchange 5.5 server, and continuing now, general users are able to create top-level public folders.

The current permissions as pertains to public folders are as follows.
  Authenticated Users: None
  Everyone: Create public folder; Create named properties in the information store
  There are administrative groups in the ACLs that have rights to create top-level public folders.  I have verified membership in these groups and have not found anything that includes non-admin users.

Does anybody have any ideas on how users are able to continue adding folders when it appears that the permissions would prohibit this?
0
Comment
Question by:nromero
  • 2
3 Comments
 
LVL 2

Accepted Solution

by:
timiano earned 125 total points
ID: 10727547
Hmmm,

If you are sure that at the public folder security level in ESM that everyone does not have the Create top-level public folders enabled, then it is strange.  The only advice I can offer you, is that you check again, as I used to have an issue, that when you add a new Exchange server to the organisation, that little sucker of a tick box kept on creeping back in, and we had to take it out everytime we added a new server.  Check again, and make sure it isn't there, cos it'll keep coming back as you add servers.

Timiano
0
 

Author Comment

by:nromero
ID: 10785502
OK.  I checked perms and you're right.  The perm "deny" was not active.  I also found several MS KB articles saying that this gets reset anytime you add a new server.  (Gees)

I enabled the "deny" perm using System Manager, but it didn't make a difference.   General users are still able to create top-level folders.

I dug a little deeper using ADSIEDIT.  Looking at  "Configuration \ Services \ Microsoft Exchange \ ETRADEGroupInc \ Administrative Groups \ UnitedStates \ Folder Hierarchies \ Public Folders" I see these perms:

Inherit permissions: enabled
Everyone:
  Create Public Folder: Allow (explicit)
  Create top level public folder: Allow (explicit), Deny (inherited)

Am I looking at the right object?  Is this worth looking into?  Shouldn't the inherited "deny" permission override the "allow" permission?
0
 

Author Comment

by:nromero
ID: 10815835
Using ADSIEDIT, looking at  "Configuration \ Services \ Microsoft Exchange \ ETRADEGroupInc \ Administrative Groups \ UnitedStates \ Folder Hierarchies \ Public Folders" I see these perms:

Inherit permissions: enabled
Everyone:
  Create Public Folder: Allow (explicit)

Removed the explicit allow permissions and this fixed the problem.  Not sure how that was ever set.

So I understand that anytime a server is added to the org I need to reset these permissions.

Timiano, thanks for the input.

Nic
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now