How to propagate a folder's permissions for delegates to all subfolders, including future new subfolders

Posted on 2005-05-10
Last Modified: 2011-10-03
I have assigned permissions on a user's Inbox folder so that another user has access to it with editor rights,  and this works fine. The problem is that when the mailbox owner creates a new subfolder under his Inbox, the delegated user does not see it. The owner has to manually assign rights for each such new folder. Is there a way to configure Exchange / Outlook to assign permissions for a folder and all its sub-folders in one operation, including also any future subfolder that could be created by the owner ?

Environment: Exchange 2003 server with Outlook 2003 clients.


Question by:ndidomenico
    LVL 12

    Expert Comment


    Did you try assigning the permissions at the (root) or inbox level ... the folder permissions should propagate downward. When you set the delegates, you only have the option to choose access to the default folders.

    Try setting the permissions by right clicking the inbox and go to the permissions tab.
    LVL 2

    Accepted Solution

    Be sure to read the article and understand the time to needed for the rights to propogate to the IS (2 hours)
    Here how to give a user global access to an email box
    1- Select the Exchange Advanced tab
    2- Select Mailbox rights
    3- If SELF is not present add SELF to the ACL and give it: Read, Full (if warranted) and Associated external account. If you don't want Full you will need to tweak the settings, but the mailbox is going to be disabled so there is really no reason not to give full access.
    4- Add the user who needs access to the account and give that person: Read and Full only.
    5- Select OK and close.
    6- (Optional) Use Replication Monitor to force and verify the replication to all DC's, or wait for system specified replication.
    7- Either create a profile in Outlook to open the about to be disabled user's mailbox, or add the mailbox to the other user list of additional mailboxes to open.
    8- Verify that you can open the mailbox and navagiate through all items.
    LVL 12

    Expert Comment


    Jabolfan - Maybe I'm missing something here but I'm unsure why you are listed the resolution above -

    You shouldn't add the SELF account to an account that is enabled ... You should use the SELF account if you wanted to have the mail-enabled account still receive email while the actual account is disabled - Microsoft recommends you remove this right if an account is enabled.

    When a Windows account is disabled, it is important to note that the msExchMasterAccountSid attribute must be set and if it isn't, one of the issues that occurs is the generation of a non-delivery report. The easiest way to avoid these non-delivery reports is to add the SELF account to the mailbox rights of the disabled user account and set the SELF account with the Read, Full Mailbox Access and Associated External Account rights.

    You should note that only one account can have the Associated External Account right. Also, it is important to remove this right if you re-enable the account because no enabled account should have this right listed.

    He was simply stating that he was trying to set subfolder level delegates, which can be resolved from the root, inbox, or subfolder level permissions tab.

    LVL 2

    Expert Comment

    Thanks for the clarifications, I had multiple windows open and copies and pasted into the wrong window.
    you are correct.
    I agree that the delegating is the best way to approach this. But if a user creates a subfolder off the root you will need to assign rights directly on that object. If given the rights at the ADUC mailbox level, the additional user can have full access regardles of the placement of the folder.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Set OWA language and time zone in Exchange for individuals, all users or per database.
    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
    To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now