Solved

Public Folder Permissions, Create Top-Level

Posted on 2004-03-30
3
1,164 Views
Last Modified: 2010-03-05
Exchange 2000 SP3
Windows 2000 SP3
Migrated from Exchange 5.5 via ADC and Move Mailbox.  Last Exchange 5.5 server was removed from the org 1 month ago.
Still running mixed mode.  the NT 4 domain where Exchange 5.5 service account is defined is still online.
Clients: Outlook 2000 primarily, and some 2002 and 2003.

I have found various articles describing how to prevent the creation of top-level folders.  They seem to cover two methods of setting this permission, 1) Using ADSI Edit, 2) a reg hack on the workstation that allows you to see Security tab at the organizational level in System Manager.  Last year I set permissions using ADSI Edit and it worked fine.  All other permissions have been managed using the Delegate Permissions wizard.  Recently, before I decommissioned the last Exchange 5.5 server, and continuing now, general users are able to create top-level public folders.

The current permissions as pertains to public folders are as follows.
  Authenticated Users: None
  Everyone: Create public folder; Create named properties in the information store
  There are administrative groups in the ACLs that have rights to create top-level public folders.  I have verified membership in these groups and have not found anything that includes non-admin users.

Does anybody have any ideas on how users are able to continue adding folders when it appears that the permissions would prohibit this?
0
Comment
Question by:nromero
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 2

Accepted Solution

by:
timiano earned 125 total points
ID: 10727547
Hmmm,

If you are sure that at the public folder security level in ESM that everyone does not have the Create top-level public folders enabled, then it is strange.  The only advice I can offer you, is that you check again, as I used to have an issue, that when you add a new Exchange server to the organisation, that little sucker of a tick box kept on creeping back in, and we had to take it out everytime we added a new server.  Check again, and make sure it isn't there, cos it'll keep coming back as you add servers.

Timiano
0
 

Author Comment

by:nromero
ID: 10785502
OK.  I checked perms and you're right.  The perm "deny" was not active.  I also found several MS KB articles saying that this gets reset anytime you add a new server.  (Gees)

I enabled the "deny" perm using System Manager, but it didn't make a difference.   General users are still able to create top-level folders.

I dug a little deeper using ADSIEDIT.  Looking at  "Configuration \ Services \ Microsoft Exchange \ ETRADEGroupInc \ Administrative Groups \ UnitedStates \ Folder Hierarchies \ Public Folders" I see these perms:

Inherit permissions: enabled
Everyone:
  Create Public Folder: Allow (explicit)
  Create top level public folder: Allow (explicit), Deny (inherited)

Am I looking at the right object?  Is this worth looking into?  Shouldn't the inherited "deny" permission override the "allow" permission?
0
 

Author Comment

by:nromero
ID: 10815835
Using ADSIEDIT, looking at  "Configuration \ Services \ Microsoft Exchange \ ETRADEGroupInc \ Administrative Groups \ UnitedStates \ Folder Hierarchies \ Public Folders" I see these perms:

Inherit permissions: enabled
Everyone:
  Create Public Folder: Allow (explicit)

Removed the explicit allow permissions and this fixed the problem.  Not sure how that was ever set.

So I understand that anytime a server is added to the org I need to reset these permissions.

Timiano, thanks for the input.

Nic
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question