Can't view properties of Public Folders in ESM - permission issue?

Hi.

I unfortunately mucked about with the security of Exchange a few weeks ago and basically removed the Everyone group.  I have managed to fix it all by using DSACLS so everyone can access their own mailboxes, not see other mailboxes and I can see the Mailbox Store and Public Folder Store ok in ESM.

I can also see the Public Folders themselves in Oublic Folder Store but I can't view any of their properties - when I try to I get the error message:

Exchange System Manager
There is no such object on the server.

Facility: LDAP Provider
ID no: 80072030
Exchange System Manager

This doesn't affect users who can view and edit PFs and also create new ones, as well as change permissions on the folder.  But I need to access the properties to mail enable a couple of folders.

Server is SBS2003 Premium R1 with SP2.

Thanks in advance, Brad.
bflackAsked:
Who is Participating?
 
consultkhanConnect With a Mentor Commented:
Thanks for the update.DO NOT delete any thing.I believe that you see two cn=public folder instances which is why there is trouble.the public folder without any values seems to be the correct public folder .Just right click there and add the msExchOwningPFTree attribute.I believe it should work.If not ,post the snapshot.

thanks.
0
 
consultkhanCommented:
Hi,

In the ESM right click on the root and select delegate permissions add your account to the exchange full administrators group(you need domain admin priviledges if you do not have on your account)
in the ESM go down to PUBLIC FOLDERS right click and select properties .open the security tab and add your account in the permissions group give full control.MAKE SURE allow inheritable permissions check box is selected in the bottom.

Post any errors you get.
thanks.
0
 
bflackAuthor Commented:
When you say root, do you mean the very top level of ESM, where it has a globe with an envelope next to it and is called DOMAIN (Exchange)?

If so, it's not in the Properties.  There is however an option to Delegate Control on the right-click but my user (administrator) is already in there so I can't go any further.

My administrator account already has all privilegese to all groups and was aleady added to Public Folders.

Any other ideas?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
consultkhanCommented:
All right.Can you post the error snapshot ?

Let me see.

thanks.
0
 
bflackAuthor Commented:
Screenhot attached (have erased same of domain/server) but it all there on server...
esm.JPG
0
 
consultkhanCommented:
ok add replicas to the public folder instances.right click on the public folder instances add a new replic and add your backend server  with public folder store to this replica(you can see the replica in the replication tab)

I hope this will resolve the issue.

Post erros if any.

thanks.
consultkhan
0
 
bflackAuthor Commented:
Erorr when try to do this, see attached screenshot - couldn't expand Pblic Folders and when choose Change Server... only the one server comes up (SBS) and get same error.
esm2.JPG
0
 
consultkhanCommented:
Thanks for the update.This is getting interesting.

Do the following:-
1.In exchange ESM expand your administrative group and select your server ,right click the server and veify that the machine account with a dollar sign like COMPUTER$ should be listed with full control permissions,if not add it manually.
2.Using OUTLOOK clinet from your computer verify that your account can create new public folders under the same hierarchy.
3.From adsiedit.msc console (support tools utility) browse configuration,Services,Microsoft Exchange,organisation container,administrative group and servers then select your server,right click .Add your account to full admin permissions manually also verify here that the MACHINE$ account is listed and is having full permissions.Also verify that SYSTEM group is listed in the security tab with full permissions.
4.NOTHING WORKS? Add everyone group and give full admin permission on the public folder root.

Update me.
thanks.
0
 
bflackAuthor Commented:
Hi.

1) Already in there.
2) Yep, works fine, worked fine before.
3) Already there, added System though.
4) Everyone group already had Full Control

0
 
consultkhanCommented:
Ok.do the following from adsiedit.msc on your server (since its SBS it the same machine).

open adsiedit.msc and browse to the following location:-
CONFIGURTION,SERVICES,EXCHANGE,ORGANISATION,ADMINISTRATIVEGROUP,SERVERS,YOURSERVER,INFORMATIONSTORE,
now look at the right hand pane to see public folder.Right click on the CN=PUBLIC FOLDER and
in the what information to see select BOTH
and select what parameter to see
TYPE:
msExchOwningServer (this paramter should be listed in the value and must be your current mailbox server.If you find it empty you need to type the complete path in LDAP format in the edit column and click apply.
TYPE:
msExchOwningPFTree
do the same here.you should see ur mailbox server,if not add your server here in the LDAP format.

also in the security tab.verify that your account has full control.
thanks.
0
 
bflackAuthor Commented:
Hi.

I presume you meant the above path followed by First Storage Group as it's in here where Mailbox Store and Public Folder Store are>

Anyhow, that's where I checked and both of those attributes are set correctly as you identified.
However for the msExchOwingPFTree, CN=Public Folders, not the name of the server as per the other attribute.  

Security is also set correctly for my account and the Everyone group - both have full control.

An interesting thing though is within that container there is a line for Mailbox Store (SERVERNAME) and Public Folder Store (SERVERNAME) on the right hand side.  However there is also a third line called CN=Public Folder which looks to be blank on its class and has some attributes but its CN=Public Folder.  Could this be interfering with it?  I have tried to delete it but it says "The specified directory service attribute or value does not exist."

0
 
bflackAuthor Commented:
Ok, haven't deleted anything.

Can't add the attribute mxExchOwningPFTree as errors with:
"An invalid director pathname was passed."
when I try to access its properties.
0
 
consultkhanCommented:
then the only option seems to be restore the public folder from a good full online backup.

thanks.
0
 
bflackAuthor Commented:
Thanks for this but will this actually help it and how would I just restore the public folders?

The problem is there is nothing wrong with the data and users can access and edit this without problem.  Could we just re-construct the container and move/import the data across?
0
 
bflackAuthor Commented:
Ok, I have found some useful information.

I created a new account with full admin rights and logged onto the server with this and was able to see everything without errors - public folders, their properties etc, etc.

So I presume it's something to do with the Administrator account?  I have checked all the permissions and there are NO deny permissions set for Administrator or any of the groups Administrator is in.
0
All Courses

From novice to tech pro — start learning today.