nromero
asked on
Public Folder Permissions, Create Top-Level
Exchange 2000 SP3
Windows 2000 SP3
Migrated from Exchange 5.5 via ADC and Move Mailbox. Last Exchange 5.5 server was removed from the org 1 month ago.
Still running mixed mode. the NT 4 domain where Exchange 5.5 service account is defined is still online.
Clients: Outlook 2000 primarily, and some 2002 and 2003.
I have found various articles describing how to prevent the creation of top-level folders. They seem to cover two methods of setting this permission, 1) Using ADSI Edit, 2) a reg hack on the workstation that allows you to see Security tab at the organizational level in System Manager. Last year I set permissions using ADSI Edit and it worked fine. All other permissions have been managed using the Delegate Permissions wizard. Recently, before I decommissioned the last Exchange 5.5 server, and continuing now, general users are able to create top-level public folders.
The current permissions as pertains to public folders are as follows.
Authenticated Users: None
Everyone: Create public folder; Create named properties in the information store
There are administrative groups in the ACLs that have rights to create top-level public folders. I have verified membership in these groups and have not found anything that includes non-admin users.
Does anybody have any ideas on how users are able to continue adding folders when it appears that the permissions would prohibit this?
Windows 2000 SP3
Migrated from Exchange 5.5 via ADC and Move Mailbox. Last Exchange 5.5 server was removed from the org 1 month ago.
Still running mixed mode. the NT 4 domain where Exchange 5.5 service account is defined is still online.
Clients: Outlook 2000 primarily, and some 2002 and 2003.
I have found various articles describing how to prevent the creation of top-level folders. They seem to cover two methods of setting this permission, 1) Using ADSI Edit, 2) a reg hack on the workstation that allows you to see Security tab at the organizational level in System Manager. Last year I set permissions using ADSI Edit and it worked fine. All other permissions have been managed using the Delegate Permissions wizard. Recently, before I decommissioned the last Exchange 5.5 server, and continuing now, general users are able to create top-level public folders.
The current permissions as pertains to public folders are as follows.
Authenticated Users: None
Everyone: Create public folder; Create named properties in the information store
There are administrative groups in the ACLs that have rights to create top-level public folders. I have verified membership in these groups and have not found anything that includes non-admin users.
Does anybody have any ideas on how users are able to continue adding folders when it appears that the permissions would prohibit this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Using ADSIEDIT, looking at "Configuration \ Services \ Microsoft Exchange \ ETRADEGroupInc \ Administrative Groups \ UnitedStates \ Folder Hierarchies \ Public Folders" I see these perms:
Inherit permissions: enabled
Everyone:
Create Public Folder: Allow (explicit)
Removed the explicit allow permissions and this fixed the problem. Not sure how that was ever set.
So I understand that anytime a server is added to the org I need to reset these permissions.
Timiano, thanks for the input.
Nic
Inherit permissions: enabled
Everyone:
Create Public Folder: Allow (explicit)
Removed the explicit allow permissions and this fixed the problem. Not sure how that was ever set.
So I understand that anytime a server is added to the org I need to reset these permissions.
Timiano, thanks for the input.
Nic
ASKER
I enabled the "deny" perm using System Manager, but it didn't make a difference. General users are still able to create top-level folders.
I dug a little deeper using ADSIEDIT. Looking at "Configuration \ Services \ Microsoft Exchange \ ETRADEGroupInc \ Administrative Groups \ UnitedStates \ Folder Hierarchies \ Public Folders" I see these perms:
Inherit permissions: enabled
Everyone:
Create Public Folder: Allow (explicit)
Create top level public folder: Allow (explicit), Deny (inherited)
Am I looking at the right object? Is this worth looking into? Shouldn't the inherited "deny" permission override the "allow" permission?